Not possible to create new CardDAV addressbook with digest authentication

Cardbook for Thunderbird Forums Main Forum Not possible to create new CardDAV addressbook with digest authentication

Tagged: 

This topic contains 25 replies, has 5 voices, and was last updated by  adam 1 week, 1 day ago.

  • Author
    Posts
  • #662

    iSchulze
    Participant

    Hi!

    I have been using Cardbook from it’s release on and I’m absolutely happy that it’s possible to sync my addressbooks via CardDAV. Thanks very much.

    Since the last Thunderbird update (now version 52.1.1) I have some problems with TB (Ubuntu 16.04.2 64Bit), several addons are not working anymore. Cardbook is working, but it’s not possible to add a new CardDAV addressbook – after entering username and password and clicking “check” it says “checking failed”. Here’s the debug log:

    2017.05.20 11:15:26:020 : Validation module: Überprüfe ohne Suchauftrag auf https://davy.fuchs-nas.de/addressbooks/rschulze/default/ …
    2017.05.20 11:15:26:026 : Validation module : debug mode : method : (new String("PROPFIND"))
    2017.05.20 11:15:26:026 : Validation module : debug mode : body : (new String("<!--?xml version=\"1.0\" encoding=\"utf-8\"?-->"))
    2017.05.20 11:15:26:026 : Validation module : debug mode : headers : (new String("({depth:\"1\", 'content-type':\"application/xml; charset=utf-8\", 'X-client':\"CardBook (Thunderbird)\", 'User-Agent':\"Thunderbird\", Authorization:\"Basic cnNjaHVsemU6M21RZGhWfik2IyslWXtxJg==\"})"))
    2017.05.20 11:15:26:026 : Validation module : debug mode : username : (new String("rschulze"))
    2017.05.20 11:15:26:026 : Validation module : debug mode : url : (new String("https://davy.fuchs-nas.de/addressbooks/rschulze/default/"))
    2017.05.20 11:15:26:214 : Validation module : debug mode : response text : (new String("<!--?xml version=\"1.0\" encoding=\"utf-8\"?-->\n\n 3.2.2\n Sabre\\DAV\\Exception\\NotAuthenticated\n No 'Authorization: Digest' header found. Either the client didn't send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on addressbooks/rschulze/default\n\n"))
    2017.05.20 11:15:26:214 : Validation module : debug mode : response code : (new Number(401))
    2017.05.20 11:15:26:217 : Validation module: Synchronisation fehlgeschlagen (Schritt: validateWithoutDiscovery, URL: https://davy.fuchs-nas.de/addressbooks/rschulze/default/, Status: 401)
    2017.05.20 11:15:27:028 : Validation module : debug mode : cardbookRepository.cardbookServerDiscoveryRequest : (new Number(1))
    2017.05.20 11:15:27:030 : Validation module : debug mode : cardbookRepository.cardbookServerDiscoveryResponse : (new Number(1))
    2017.05.20 11:15:27:031 : Validation module : debug mode : cardbookRepository.cardbookServerDiscoveryError : (new Number(1))
    2017.05.20 11:15:27:031 : Validation module : debug mode : cardbookRepository.cardbookServerValidation : ({'https://davy.fuchs-nas.de':[]})

    I’m able to use the earlier configured addressbook and the synchronisation works well, but to add a new one leads to this problem.

    Thanks for any help! 🙂

    iSchulze

    • This topic was modified 8 months, 3 weeks ago by  CardBook.
  • #663

    TraderJoe
    Participant

    Hi,

    I’ve encountered the same problem on my PC. I am running Windows 10 (64 bit), Thunderbird 52.1.1 (32 bit).

    I can’t add a new addressbook, too, the process fails with response code 401.

    Additionally, my other (already configured) addressbooks aren’t able to synchronize with the server anymore. Here I also get error 401.

    The CardDAV server we are both using only supports HTTP Digest authentication for security reasons (no basic auth).

    Thanks for your help!

    TraderJoe

  • #664

    iSchulze
    Participant

    Update: As TraderJoe mentioned that his addressbooks aren’t able to synchronize with the server anymore I double checked – he’s right. There is no error message, but Error 401. Hopefully, this Digest auth issue can be solved soon! 🙂

    iSchulze

  • #668

    CardBook
    Keymaster

    Hi all

    sorry for the delay : this is due to digest authentication, which CardBook does not support… as far as I’ve understood, the digest authentication does not add security compared to an https + basic authentication… for the moment this is planned to support it into CardBook…

    but what I do not understand is that I’ve never supported it…

  • #669

    iSchulze
    Participant

    Thanks for your reply. The strange thing is: It worked with the previous version – but it also was another Thunderbird version. Could Thunderbird have dropped a security libary Cardbook used?

  • #670

    CardBook
    Keymaster

    CardBook uses the standard API nsIXMLHttpRequest… don’t really know, but there are at least another bug with Thundebird 52 (a CSS bug hidding some CardBook icons) that was corrected in Thunderbird 53…

    may you try the Thunderbird 53 ?

  • #671

    iSchulze
    Participant

    I’ve tried the latest TB beta right now (54.0b1, 64-Bit on Ubuntu 16.04.2 LTS), but the same issue: Error 401…

  • #672

    CardBook
    Keymaster

    seems not to have an easy solution : may you change your server settings to use a Basic authentication ? (as far as I’ve understood https + Basic are not really far from https + Digest)

  • #673

    TraderJoe
    Participant

    I’m on it. I’ll write a small extension for our server application to support basic auth.

  • #674

    TraderJoe
    Participant

    Creating a basic auth plugin solved the issue for now (like expected) but I am still looking forward to CardBook supporting digest auth.

    Thanks for your help!

    TraderJoe

  • #1454

    hobble-frank
    Participant

    Hey I have still the same issue. Are there any Updates on that topic ?

  • #1455

    CardBook
    Keymaster

    no yet sorry… this is something I hope to do soon…

  • #1475

    CardBook
    Keymaster

    in fact I need a test account somewhere to test a digest authentication…

  • #1478

    hobble-frank
    Participant

    hi, the easiest way would probably to install youself the lightweight webdav server sabredav to test it. It’s done in 5 Minutes. the PDO authBackend is an digestAuth example implementation. You can find a (german) example how to set up the server here https://www.ohnekontur.de/2012/01/05/sabredav-kalender-und-kontakte-in-sync-mit-caldav-und-carddav/

    Hope this will help. And thanks for your work.

    Pascal

  • #1578

    hobble-frank
    Participant

    Hey Philippe,

    could you figure something out ?

    Best

    Pascal

  • #1579

    CardBook
    Keymaster

    no tried… haven’t had time…

  • #1658

    iSchulze
    Participant

    I would be willing to serve with a test account on my server which supports digest auth – but since I won’t be able to use Cardbook then it’d be helpful to know when you exactly need it, so that I could turn it on for that day and switch back to basic auth when you’re done. Just let me know (I’ll get notifications on this topic in future).

  • #1662

    CardBook
    Keymaster

    possible to enable digest auth this friday (tomorrow) ?

  • #1670

    iSchulze
    Participant

    Sure – I’ll create a test account and enable the digest auth tonight. I’ll write an update here as soon as it’s done.

  • #1679

    iSchulze
    Participant

    Digest auth is now enabled on the following server:

    https://davy.fuchs-nas.de
    u: test p: testuser-180208

    CardDAV Sync should work with the following path:
    URL: https://davy.fuchs-nas.de/addressbooks/test/default/

    Please let me know if you need more help.

    Thanks a million! Looking forward to your solution.

  • #1688

    iSchulze
    Participant

    I’ve now disabled digest and the testuser. I hope it helped! Looking forward to hear what you’ve figured out.

  • #1689

    CardBook
    Keymaster

    Hi

    yes this helped, but I’m stuck because I haven’t understood what is the cnonce term in the response I should send (the english wikipedia was poor on this)… did the digest authentication work with Lightning ?

     

     

  • #1690

    hobble-frank
    Participant

    Hey,

    nice to hear you are working on that issue 🙂

    Digest authentication works fine with Lightning for my SetUp.

    Thanks a lot

  • #1691

    TraderJoe
    Participant

    Hi all,

    as far as I understand digest authentication, the cnonce response field should contain a random number generated by the client, which must not (or at least should not) be used more than one time. The number is than hashed into the auth response. For directions, refer to the english wiki article about digest auth (the qop directive value should usually be “auth”). The usage of this (client-side) random nonce binds the authentication process to the specific pair of server/client and helps mitigate chosen-plaintext attacks.

    Hope, this clears things up a little.

  • #1692

    CardBook
    Keymaster

    what I can’t understand is why Lightning doesn’t make this mess to get digest working… will ask Philipp Kewish…

  • #1699

    adam
    Participant

    I am afraid that the problem with Digest auth may be caused by the CardBook extension itself. The _getCredentials function in cardbookWebDAV.js seems to specifically enforce Basic auth. I guess that a possibility for Digest auth (e.g. based on some user settings) would need to be specified there.

You must be logged in to reply to this topic.