Hello, Android phone (galaxy S) with cyanogenmod and the improvements described here:
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy At first I thought it might have been a firewall problem, but I disabled the firewall and I still couldn't connect. With the firewall on, I added these rules: ================== firewall-allow-radicale.sh ================== IP6TABLES=/system/bin/ip6tables IPTABLES=/system/bin/iptables DAVDROID_UID=`dumpsys package at.bitfire.davdroid | grep userId | cut -d= -f2 - | cut -d' ' -f1 -` CALENDAR_UID=`dumpsys package com.android.calendar | grep userId | cut -d= -f2 - | cut -d' ' -f1 -` # This returns the UID twice. Needs fixing. # CONTACTS_UID=`dumpsys package com.android.contacts | grep userId | cut -d= -f2 - | cut -d' ' -f1 -` CONTACTS_UID=10001 TASKS_UID=`dumpsys package org.dmfs.tasks | grep userId | cut -d= -f2 - | cut -d' ' -f1 -` SAFE_NETWORK=192.168.1.0/24 # Allow DAVdroid/radicale and all apps that use it (port 5232) $IPTABLES -I INPUT-firewall -s $SAFE_NETWORK -p tcp --dport 5232 -j RETURN $IPTABLES -I droidwall -m owner --uid-owner $DAVDROID_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN $IPTABLES -I droidwall -m owner --uid-owner $CALENDAR_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN $IPTABLES -I droidwall -m owner --uid-owner $CONTACTS_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN $IPTABLES -I droidwall -m owner --uid-owner $TASKS_UID -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j RETURN # Remove transproxy for radicale output $IPTABLES -t nat -I OUTPUT -d $SAFE_NETWORK -m conntrack --ctstate ESTABLISHED -p tcp --sport 5232 -j ACCEPT =================== which are variations of the ones used for adb/shell (and those work just fine.) I still can't connect. Did I screw up something in these firewall rules? This is what shows up on the log: =================== Android log ==================== 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Finding initial carddav service configuration 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] Checking user-given URL: https://192.168.1.27/radicale/<user>/ 2017-01-28 20:33:55 2 [HttpClient$1] --> PROPFIND https://192.168.1.27/radicale/<user>/ http/1.1 2017-01-28 20:33:55 2 [HttpClient$1] Content-Type: application/xml; charset=utf-8 2017-01-28 20:33:55 2 [HttpClient$1] Content-Length: 290 2017-01-28 20:33:55 2 [HttpClient$1] Depth: 0 2017-01-28 20:33:55 2 [HttpClient$1] 2017-01-28 20:33:55 2 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind> 2017-01-28 20:33:55 2 [HttpClient$1] --> END PROPFIND (290-byte body) 2017-01-28 20:33:55 2 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLException: Connection closed by peer 2017-01-28 20:33:55 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed EXCEPTION javax.net.ssl.SSLException: Connection closed by peer =================== Even though it says "Connection closed by peer" I see no log entry on the FreedomBox about radicale being accessed. I have configured Korganizer and Kaddressbook on a Debian machine and when those sync up with the FreedomBox I do see an entry. This seems to imply that the problem happens before radicale sees any packets. This is what Davdroid says: Configuration detection Couldn't find CalDAV or CardDAV service. If I disable the android firewall I get this: =================== Android log ==================== 2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] Finding initial carddav service configuration 2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] Checking user-given URL: https://192.168.1.27/radicale/<user>/ 2017-01-29 16:59:14 2 [HttpClient$1] --> PROPFIND https://192.168.1.27/radicale/<user>/ http/1.1 2017-01-29 16:59:14 2 [HttpClient$1] Content-Type: application/xml; charset=utf-8 2017-01-29 16:59:14 2 [HttpClient$1] Content-Length: 290 2017-01-29 16:59:14 2 [HttpClient$1] Depth: 0 2017-01-29 16:59:14 2 [HttpClient$1] 2017-01-29 16:59:14 2 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind> 2017-01-29 16:59:14 2 [HttpClient$1] --> END PROPFIND (290-byte body) 2017-01-29 16:59:14 2 [HttpClient$1] <-- HTTP FAILED: java.net.ConnectException: Failed to connect to /192.168.1.27:443 2017-01-29 16:59:14 2 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed EXCEPTION java.net.ConnectException: Failed to connect to /192.168.1.27:443 =================== After the above lines, there is a voluminous traceback that I can provide if needed. For now I'm trying to do this from the internal network, on the inside interface. The android phone, when connected through wifi to the internal network works fine and can access the internet. The file of iptable rules firewall-allow-nontor-browser.sh is installed, so trying to access port 443 on the local network should not be a problem. Can anyone shed some light on this? Any idea as to where to look/what to do? Thanks. Augustine _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss