[Freedombox-discuss] Cannot connect to radicale from phones after installing new image.

Mon Dec 20 19:39:14 GMT 2021

On Mon, Dec 20, 2021 at 04:29:07PM +0100, Diederik de Haas wrote:
> On Monday, 20 December 2021 04:02:52 CET A. F. Cano wrote:
> > This used to work with the old image (testing), but then I created a new
> > image (stable).
> 
> Just to clarify/verify: what worked with the *newer* software stack doesn't 
> work with the *older* software stack?

Not sure what changed when, but while I was running the testing image
the changes to the addressbook and calendar would propagate to the
phones.  Then that testing image started developing one problem after
another (unrelated to radicale) and I decided to burn a new image, this
time of the stable variety, and I re-installed and configured a minimal
set of apps.  Then the changes would not propagate to the phones any more.
When I tried to figure out why, I found the errors described previously.

There have been upgrades since I switched images, but I had the problem
starting with the change.

> Your android version (4.2.2) is quite dated and may not support or be 
> supported by newer software stacks (as insecure ones get disabled).

Interestingly, this shows up in the ssllabs.com report:

Not simulated clients (Protocol mismatch)
...
Android 4.2.2	Protocol mismatch (not simulated)

What are the implications of a protocol mismatch? is it possible to
tweak the FreedomBox to handle this protocol?

> So logically speaking, it is more expected that things stop working for you 
> when upgrading to newer versions, so your situation seems odd.

Maybe it was some upgrade that happened between the use of the testing
version and when I installed the stable version.  In any case, since I
checked the recommended box to use frequent updates, it appears that the
differences between the testing and the stable versions are not that
divergent.

Or maybe it was something else.  To make sure that it wasn't some
leftover setting from the old image, I told both phones to ignore/clear
old certificates, but that didn't make any difference.

> At https://www.ssllabs.com/ssltest/ you can test the security of your server/

This was quite enlightening! Thanks!  Kudos to the FreedomBox developers.
It gets an A+.  The only failures are windows phone and safari.  Not
surprising.  Death to proprietary protocols!

> freedombox (if connected to the internet) and IIRC it should also show which 
> SSL/TLS protocols are supported and how/if that's supported by Android version 
TLS 1.2 and 1.3.

> X and Y. That may provide some useful info.

Indeed!  Thsnks.  I wonder if it's possible to figure out what changed
between the working testing version and the non-working stable version.

And what is the android 4.2.2 protocol that apparently was working and
is no longer, that was not simulated.

I have checked /var/log/uwsgi/app/radicale.log (on the FreedomBox) but
there is nothing there from the phone IPs.
/var/log/radicale/radicale.log (as well as all the older ones (1-5.gz)
is empty.  There is no mention of any connection from the sub-net
where the phones are in /var/log/apache2/access.log.  Plenty of radicale
entries though from the kde machines.  Apparently the
SSLHandshakeException prevents it from going that far.

> 
> Cheers,
>   Diederik

Thanks again!

Augustine