I configured Apache to do Digest Auth (as opposed to Basic Auth). SyncEvolution, however, does not seem to be able to handle that as it can't log in: First ERROR encountered: child process failed: error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge The server complains: "Digest: client used wrong authentication scheme `Basic'". There seem to be patches on meego: http://meego.gitorious.org/~gabrielschulhof/meego-middleware/gabrielschulhof-syncevolution/commit/8ded5225ecc3d518b3edbcbf92e893ff27912eef but I don't know whether that is relevant. The search engine of my least mistrust doesn't result anything useful for ``syncevolution "client used wrong authentication"'' so I reported this bug. I expected to be able to log in my HTTP DigestAuth protected area to sync via CalDAV.
I just tried with syncevolution-bundle and syncevolution-evolution from the syncevolution apt repository which provided SyncEvolution 1.3.1 It's still an issue. Note that wget can log in fine.
Can you run SYNCEVOLUTION_DEBUG=1 syncevolution --daemon=no loglevel=4 <your operation> and attach the output? I think I know what is going on: - SyncEvolution proactively sends Basic authentication, to avoid extra round-trips if the server accepts that. - The server sends a permanent error, instead of asking for some other way of authentication. - SyncEvolution (or rather, libneon) gives up. What kind of CalDAV server do you run? And how did you change the configuration to enforce Digest Auth.
I just made Apache enforce digest auth, i.e. http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html Sending Basic Auth proactively is not very nice, because you blow the password in plain text into the Internet. And in fact I tried setting up Digest Auth primarily to prevent my credentials being posted as plaintext. >- The server sends a permanent error, instead of > asking for some other way of authentication. hm. The logs indicate the server returning a 401 Authorization needed along with a WWW-Authenticate header, as opposed to a 403. So if I read the logs correctly and got the semantics of HTTP right, then I think your hypothesis is wrong. FWIW: These are the server logs: ==> error_log <== [Sun Oct 21 22:38:59 2012] [error] [client ] Digest: client used wrong authentication scheme `Basic': /muelli/test/ ==> access_log <== - - [21/Oct/2012:22:38:59 +0200] "PROPFIND muelli/test/ HTTP/1.1" 401 476 "-" "-" - - [21/Oct/2012:22:38:59 +0200] "PROPFIND muelli/test/ HTTP/1.1" 401 476 "-" "-" And the stderr of syncevolution: QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave. [DEBUG 00:00:00] So 2012-10-21 20:38:57 UTC = 22:38 +0200 CEST [DEBUG 00:00:00] CreateContext SyncEvolution// => 0 [DEBUG 00:00:00] Module_Capabilities: [DEBUG 00:00:00] PLATFORM:Linux [DEBUG 00:00:00] DLL:true [DEBUG 00:00:00] MINVERSION:V1.0.6.0 [DEBUG 00:00:00] MANUFACTURER:SyncEvolution [DEBUG 00:00:00] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG 00:00:00] plugin_datastore_str:no [DEBUG 00:00:00] plugin_datastore_key:yes [DEBUG 00:00:00] ITEM_AS_KEY:yes [DEBUG 00:00:00] plugin_datablob:no [DEBUG 00:00:00] Module_PluginParams [DEBUG 00:00:00] Engine=01090100 [DEBUG 00:00:00] [DEVELOPER 00:00:00] SyncML server account: [DEVELOPER 00:00:00] client: SyncEvolution 1.3.1 for workstation [DEVELOPER 00:00:00] device ID: syncevolution-3343840e-41d6-45b4-90d5-71e1e11744a1 [DEVELOPER 00:00:00] using libedataserver-1.2.so.15 [DEVELOPER 00:00:00] using libebook-1.2.so.12 [DEVELOPER 00:00:00] using libebook-1.2.so.12 [DEVELOPER 00:00:00] e_contact_inline_local_photos not found [DEVELOPER 00:00:00] using libecal-1.2.so.10 [DEVELOPER 00:00:00] using libecal-1.2.so.10 [DEVELOPER 00:00:00] using libbluetooth.so.3 [DEVELOPER 00:00:00] sdp_extract_pdu_safe not found [DEVELOPER 00:00:00] sdp_extract_seqtype_safe not found [DEVELOPER 00:00:00] Scanning backend libraries in /usr/lib/syncevolution/backends/ [DEVELOPER 00:00:00] Loading backend library syncecal.so [DEVELOPER 00:00:00] Loading backend library syncxmlrpc.so [DEVELOPER 00:00:00] Loading backend library syncfile.so [DEVELOPER 00:00:00] Loading backend library syncsqlite.so [DEVELOPER 00:00:00] Loading backend library syncaddressbook.so [DEVELOPER 00:00:00] Loading backend library syncdav.so [DEVELOPER 00:00:00] Loading backend library platformkde.so [DEVELOPER 00:00:00] Loading backend library syncmaemocal.so [DEVELOPER 00:00:00] Loading backend library syncqtcontacts.so [DEVELOPER 00:00:00] Loading backend library synckcalextended.so [DEVELOPER 00:00:00] Loading backend library platformgnome.so [DEVELOPER 00:00:00] Loading backend library syncakonadi.sofailed libakonadi-kde.so.4: cannot open shared object file: No such file or directory [DEVELOPER 00:00:00] Loading backend library syncebook.so [INFO 00:00:00] @default/addressbook: inactive [INFO 00:00:00] @default/calendar: inactive [INFO 00:00:00] @default/memo: inactive [INFO 00:00:00] @default/todo: inactive [DEBUG 00:00:00] checking sync password syncURL [DEBUG 00:00:00] checking sync password username [DEBUG 00:00:00] checking sync password password [DEBUG 00:00:00] checking sync password logdir [DEBUG 00:00:00] checking sync password loglevel [DEBUG 00:00:00] checking sync password notifyLevel [DEBUG 00:00:00] checking sync password printChanges [DEBUG 00:00:00] checking sync password dumpData [DEBUG 00:00:00] checking sync password maxlogdirs [DEBUG 00:00:00] checking sync password autoSync [DEBUG 00:00:00] checking sync password autoSyncInterval [DEBUG 00:00:00] checking sync password autoSyncDelay [DEBUG 00:00:00] checking sync password preventSlowSync [DEBUG 00:00:00] checking sync password useProxy [DEBUG 00:00:00] checking sync password proxyHost [DEBUG 00:00:00] checking sync password proxyUsername [DEBUG 00:00:00] checking sync password proxyPassword [DEBUG 00:00:00] checking sync password clientAuthType [DEBUG 00:00:00] checking sync password RetryDuration [DEBUG 00:00:00] checking sync password RetryInterval [DEBUG 00:00:00] checking sync password remoteIdentifier [DEBUG 00:00:00] checking sync password PeerIsClient [DEBUG 00:00:00] checking sync password SyncMLVersion [DEBUG 00:00:00] checking sync password PeerName [DEBUG 00:00:00] checking sync password deviceId [DEBUG 00:00:00] checking sync password remoteDeviceId [DEBUG 00:00:00] checking sync password enableWBXML [DEBUG 00:00:00] checking sync password enableRefreshSync [DEBUG 00:00:00] checking sync password maxMsgSize [DEBUG 00:00:00] checking sync password maxObjSize [DEBUG 00:00:00] checking sync password SSLServerCertificates [DEBUG 00:00:00] checking sync password SSLVerifyServer [DEBUG 00:00:00] checking sync password SSLVerifyHost [DEBUG 00:00:00] checking sync password WebURL [DEBUG 00:00:00] checking sync password IconURI [DEBUG 00:00:00] checking sync password ConsumerReady [DEBUG 00:00:00] checking sync password peerType [DEBUG 00:00:00] checking sync password HashCode [DEBUG 00:00:00] checking sync password ConfigDate [DEBUG 00:00:00] checking sync password lastNonce [DEBUG 00:00:00] checking sync password deviceData [DEBUG 00:00:00] checking sync password defaultPeer [DEBUG 00:00:00] checking sync password keyring [DEBUG 00:00:00] checking sync password webDAVCredentialsOkay [DEBUG 00:00:00] checking source calendar-test password sync [DEBUG 00:00:00] checking source calendar-test password uri [DEBUG 00:00:00] checking source calendar-test password backend [DEBUG 00:00:00] checking source calendar-test password syncFormat [DEBUG 00:00:00] checking source calendar-test password forceSyncFormat [DEBUG 00:00:00] checking source calendar-test password database [DEBUG 00:00:00] checking source calendar-test password databaseFormat [DEBUG 00:00:00] checking source calendar-test password databaseUser [DEBUG 00:00:00] checking source calendar-test password databasePassword [DEBUG 00:00:00] checking source calendar-test password adminData [DEBUG 00:00:00] checking source calendar-test password synthesisID [DEBUG 00:00:00] sync is starting, catch signals [DEBUG 00:00:00] SuspendFlags: (re)activating, currently inactive [DEBUG 00:00:00] SuspendFlags: activating signal handler(s) with fds 10->9 [DEBUG 00:00:00] SuspendFlags: catch SIGINT [DEBUG 00:00:00] SuspendFlags: catch SIGTERM [DEBUG 00:00:00] ready to sync [DEBUG 00:00:00] Module_DeleteContext 'session' [DEBUG 00:00:00] CreateContext SyncEvolution// => 0 [DEBUG 00:00:00] Module_Capabilities: [DEBUG 00:00:00] PLATFORM:Linux [DEBUG 00:00:00] DLL:true [DEBUG 00:00:00] MINVERSION:V1.0.6.0 [DEBUG 00:00:00] MANUFACTURER:SyncEvolution [DEBUG 00:00:00] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG 00:00:00] plugin_datastore_str:no [DEBUG 00:00:00] plugin_datastore_key:yes [DEBUG 00:00:00] ITEM_AS_KEY:yes [DEBUG 00:00:00] plugin_datablob:no [DEBUG 00:00:00] Module_PluginParams [DEBUG 00:00:00] Engine=01090100 [DEBUG 00:00:00] [DEBUG 00:00:00] CreateContext SyncEvolution//calendar-test => 0 [DEBUG 00:00:00] Module_Version = 01090100 [DEBUG 00:00:00] Module_Capabilities: [DEBUG 00:00:00] PLATFORM:Linux [DEBUG 00:00:00] DLL:true [DEBUG 00:00:00] MINVERSION:V1.0.6.0 [DEBUG 00:00:00] MANUFACTURER:SyncEvolution [DEBUG 00:00:00] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG 00:00:00] plugin_datastore_str:no [DEBUG 00:00:00] plugin_datastore_key:yes [DEBUG 00:00:00] ITEM_AS_KEY:yes [DEBUG 00:00:00] plugin_datablob:yes [DEBUG 00:00:00] plugin_datastoreadmin:yes [DEBUG 00:00:00] @default/calendar-test: Module_PluginParams [DEBUG 00:00:00] @default/calendar-test: Engine=01090100 [DEBUG 00:00:00] @default/calendar-test: [DEBUG 00:00:00] Module_Capabilities: [DEBUG 00:00:00] PLATFORM:Linux [DEBUG 00:00:00] DLL:true [DEBUG 00:00:00] MINVERSION:V1.0.6.0 [DEBUG 00:00:00] MANUFACTURER:SyncEvolution [DEBUG 00:00:00] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG 00:00:00] plugin_datastore_str:no [DEBUG 00:00:00] plugin_datastore_key:yes [DEBUG 00:00:00] ITEM_AS_KEY:yes [DEBUG 00:00:00] plugin_datablob:yes [DEBUG 00:00:00] plugin_datastoreadmin:yes [DEBUG 00:00:00] CreateContext SyncEvolution//calendar-test => 0 [DEBUG 00:00:00] Module_Version = 01090100 [DEBUG 00:00:00] Module_Capabilities: [DEBUG 00:00:00] PLATFORM:Linux [DEBUG 00:00:00] DLL:true [DEBUG 00:00:00] MINVERSION:V1.0.6.0 [DEBUG 00:00:00] MANUFACTURER:SyncEvolution [DEBUG 00:00:00] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG 00:00:00] plugin_datastore_str:no [DEBUG 00:00:00] plugin_datastore_key:yes [DEBUG 00:00:00] ITEM_AS_KEY:yes [DEBUG 00:00:00] plugin_datablob:yes [DEBUG 00:00:00] plugin_datastoreadmin:yes [DEBUG 00:00:00] @default/calendar-test: Module_PluginParams [DEBUG 00:00:00] @default/calendar-test: Engine=01090100 [DEBUG 00:00:00] @default/calendar-test: [DEBUG 00:00:00] ForkExecParent: preparing for child process syncevo-local-sync [DEBUG 00:00:00] dbus_server_listen(unix:abstract=gdbuscxx-1) failed, trying next candidate: Failed to bind socket "gdbuscxx-1": Address already in use [DEBUG 00:00:00] ForkExecParent: running /usr/libexec/syncevo-local-sync with D-Bus address unix:abstract=gdbuscxx-2 [DEBUG 00:00:00] ForkExecParent: child process for /usr/libexec/syncevo-local-sync has pid 7867 [DEBUG 00:00:00] Session_CreateContext '3364472920400220292' found [DEBUG 00:00:00] waiting for child to send message QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave. [DEBUG 00:00:00] ForkExecParent: child syncevo-local-sync has connected [DEBUG 00:00:00] child is ready [DEBUG @radicale-cb 00:00:00] local transport: waiting for Sync() call from parent [DEBUG @radicale-cb 00:00:00] local transport: waiting for Sync() call from parent [DEBUG @radicale-cb 00:00:00] local transport: waiting for Sync() call from parent [DEBUG @radicale-cb 00:00:00] local transport: waiting for Sync() call from parent [DEBUG @radicale-cb 00:00:00] Sync() called, starting the sync [DEBUG @radicale-cb 00:00:00] LocalTransportChild: ignore SIGINT, die in SIGTERM [INFO @radicale-cb 00:00:00] target side of local sync ready [DEBUG @radicale-cb 00:00:01] SyncML server account: [DEBUG @radicale-cb 00:00:01] client: SyncEvolution 1.3.1 for workstation [DEBUG @radicale-cb 00:00:01] device ID: syncevolution-1da52241-3c83-4150-8d29-50de1c69026e [DEBUG @radicale-cb 00:00:01] using libedataserver-1.2.so.15 [DEBUG @radicale-cb 00:00:01] using libebook-1.2.so.12 [DEBUG @radicale-cb 00:00:01] using libebook-1.2.so.12 [DEBUG @radicale-cb 00:00:01] e_contact_inline_local_photos not found [DEBUG @radicale-cb 00:00:01] using libecal-1.2.so.10 [DEBUG @radicale-cb 00:00:01] using libecal-1.2.so.10 [DEBUG @radicale-cb 00:00:01] using libbluetooth.so.3 [DEBUG @radicale-cb 00:00:01] sdp_extract_pdu_safe not found [DEBUG @radicale-cb 00:00:01] sdp_extract_seqtype_safe not found [DEBUG @radicale-cb 00:00:01] Scanning backend libraries in /usr/lib/syncevolution/backends/ [DEBUG @radicale-cb 00:00:01] Loading backend library syncecal.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncxmlrpc.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncfile.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncsqlite.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncaddressbook.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncdav.so [DEBUG @radicale-cb 00:00:01] Loading backend library platformkde.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncmaemocal.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncqtcontacts.so [DEBUG @radicale-cb 00:00:01] Loading backend library synckcalextended.so [DEBUG @radicale-cb 00:00:01] Loading backend library platformgnome.so [DEBUG @radicale-cb 00:00:01] Loading backend library syncakonadi.sofailed libakonadi-kde.so.4: cannot open shared object file: No such file or directory [DEBUG @radicale-cb 00:00:01] Loading backend library syncebook.so [INFO @radicale-cb 00:00:01] @radicale-cb/addressbook: inactive [INFO @radicale-cb 00:00:01] @radicale-cb/calendar: inactive [DEBUG @radicale-cb 00:00:01] checking sync password syncURL [DEBUG @radicale-cb 00:00:01] checking sync password username [DEBUG @radicale-cb 00:00:01] checking sync password password [DEBUG @radicale-cb 00:00:01] checking sync password logdir [DEBUG @radicale-cb 00:00:01] checking sync password loglevel [DEBUG @radicale-cb 00:00:01] checking sync password notifyLevel [DEBUG @radicale-cb 00:00:01] checking sync password printChanges [DEBUG @radicale-cb 00:00:01] checking sync password dumpData [DEBUG @radicale-cb 00:00:01] checking sync password maxlogdirs [DEBUG @radicale-cb 00:00:01] checking sync password autoSync [DEBUG @radicale-cb 00:00:01] checking sync password autoSyncInterval [DEBUG @radicale-cb 00:00:01] checking sync password autoSyncDelay [DEBUG @radicale-cb 00:00:01] checking sync password preventSlowSync [DEBUG @radicale-cb 00:00:01] checking sync password useProxy [DEBUG @radicale-cb 00:00:01] checking sync password proxyHost [DEBUG @radicale-cb 00:00:01] checking sync password proxyUsername [DEBUG @radicale-cb 00:00:01] checking sync password proxyPassword [DEBUG @radicale-cb 00:00:01] checking sync password clientAuthType [DEBUG @radicale-cb 00:00:01] checking sync password RetryDuration [DEBUG @radicale-cb 00:00:01] checking sync password RetryInterval [DEBUG @radicale-cb 00:00:01] checking sync password remoteIdentifier [DEBUG @radicale-cb 00:00:01] checking sync password PeerIsClient [DEBUG @radicale-cb 00:00:01] checking sync password SyncMLVersion [DEBUG @radicale-cb 00:00:01] checking sync password PeerName [DEBUG @radicale-cb 00:00:01] checking sync password deviceId [DEBUG @radicale-cb 00:00:01] checking sync password remoteDeviceId [DEBUG @radicale-cb 00:00:01] checking sync password enableWBXML [DEBUG @radicale-cb 00:00:01] checking sync password enableRefreshSync [DEBUG @radicale-cb 00:00:01] checking sync password maxMsgSize [DEBUG @radicale-cb 00:00:01] checking sync password maxObjSize [DEBUG @radicale-cb 00:00:01] checking sync password SSLServerCertificates [DEBUG @radicale-cb 00:00:01] checking sync password SSLVerifyServer [DEBUG @radicale-cb 00:00:01] checking sync password SSLVerifyHost [DEBUG @radicale-cb 00:00:01] checking sync password WebURL [DEBUG @radicale-cb 00:00:01] checking sync password IconURI [DEBUG @radicale-cb 00:00:01] checking sync password ConsumerReady [DEBUG @radicale-cb 00:00:01] checking sync password peerType [DEBUG @radicale-cb 00:00:01] checking sync password HashCode [DEBUG @radicale-cb 00:00:01] checking sync password ConfigDate [DEBUG @radicale-cb 00:00:01] checking sync password lastNonce [DEBUG @radicale-cb 00:00:01] checking sync password deviceData [DEBUG @radicale-cb 00:00:01] checking sync password defaultPeer [DEBUG @radicale-cb 00:00:01] checking sync password keyring [DEBUG @radicale-cb 00:00:01] checking sync password webDAVCredentialsOkay [DEBUG @radicale-cb 00:00:01] checking source calendar-test password sync [DEBUG @radicale-cb 00:00:01] checking source calendar-test password uri [DEBUG @radicale-cb 00:00:01] checking source calendar-test password backend [DEBUG @radicale-cb 00:00:01] checking source calendar-test password syncFormat [DEBUG @radicale-cb 00:00:01] checking source calendar-test password forceSyncFormat [DEBUG @radicale-cb 00:00:01] checking source calendar-test password database [DEBUG @radicale-cb 00:00:01] checking source calendar-test password databaseFormat [DEBUG @radicale-cb 00:00:01] checking source calendar-test password databaseUser [DEBUG @radicale-cb 00:00:01] checking source calendar-test password databasePassword [DEBUG @radicale-cb 00:00:01] checking source calendar-test password adminData [DEBUG @radicale-cb 00:00:01] checking source calendar-test password synthesisID [DEBUG @radicale-cb 00:00:01] sync is starting, catch signals [DEBUG @radicale-cb 00:00:01] SuspendFlags: (re)activating, currently inactive [DEBUG @radicale-cb 00:00:01] SuspendFlags: activating signal handler(s) with fds 13->12 [DEBUG @radicale-cb 00:00:01] ready to sync [DEBUG @radicale-cb 00:00:01] CreateContext SyncEvolution//calendar-test => 0 [DEBUG @radicale-cb 00:00:01] Module_Version = 01090100 [DEBUG @radicale-cb 00:00:01] Module_Capabilities: [DEBUG @radicale-cb 00:00:01] PLATFORM:Linux [DEBUG @radicale-cb 00:00:01] DLL:true [DEBUG @radicale-cb 00:00:01] MINVERSION:V1.0.6.0 [DEBUG @radicale-cb 00:00:01] MANUFACTURER:SyncEvolution [DEBUG @radicale-cb 00:00:01] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG @radicale-cb 00:00:01] plugin_datastore_str:no [DEBUG @radicale-cb 00:00:01] plugin_datastore_key:yes [DEBUG @radicale-cb 00:00:01] ITEM_AS_KEY:yes [DEBUG @radicale-cb 00:00:01] plugin_datablob:no [DEBUG @radicale-cb 00:00:01] Module_PluginParams [DEBUG @radicale-cb 00:00:01] Engine=01090100 [DEBUG @radicale-cb 00:00:01] [DEBUG @radicale-cb 00:00:01] Module_Capabilities: [DEBUG @radicale-cb 00:00:01] PLATFORM:Linux [DEBUG @radicale-cb 00:00:01] DLL:true [DEBUG @radicale-cb 00:00:01] MINVERSION:V1.0.6.0 [DEBUG @radicale-cb 00:00:01] MANUFACTURER:SyncEvolution [DEBUG @radicale-cb 00:00:01] DESCRIPTION:SyncEvolution Synthesis DB Plugin [DEBUG @radicale-cb 00:00:01] plugin_datastore_str:no [DEBUG @radicale-cb 00:00:01] plugin_datastore_key:yes [DEBUG @radicale-cb 00:00:01] ITEM_AS_KEY:yes [DEBUG @radicale-cb 00:00:01] plugin_datablob:no [DEBUG @radicale-cb 00:00:01] child local transport sending 3030 bytes [DEBUG 00:00:01] Session_CheckDevice dev='syncevolution-1da52241-3c83-4150-8d29-50de1c69026e' nonce='])6MT"!!' res=0 [DEBUG 00:00:01] Session_SaveNonce nonce=':,;X5#!!' [DEBUG 00:00:01] Session_SaveDeviceInfo info='REMOTE_URI:syncevolution-1da52241-3c83-4150-8d29-50de1c69026e [DEBUG 00:00:01] REMOTE_DESC:Patrick Ohly SyncEvolution [DEBUG 00:00:01] REMOTE_INFO:workstation (unknown, 1.3.1, 3.4.0.41) Synthesis AG [DEBUG 00:00:01] DOMAIN: [DEBUG 00:00:01] MOD:SyncEvolution [DEBUG 00:00:01] MAN:Patrick Ohly [DEBUG 00:00:01] OEM:Synthesis AG [DEBUG 00:00:01] FWV:1.3.1 [DEBUG 00:00:01] SWV:3.4.0.41 [DEBUG 00:00:01] HWV:unknown [DEBUG 00:00:01] ' [DEBUG 00:00:01] @default/calendar-test: 'calendar-test' dev='syncevolution-1da52241-3c83-4150-8d29-50de1c69026e' usr='anonymous' err=0 [DEBUG 00:00:01] @default/calendar-test: 'calendar-test' dev='syncevolution-1da52241-3c83-4150-8d29-50de1c69026e' usr='anonymous' err=0 [DEBUG 00:00:01] @default/calendar-test: LoadAdminData 'calendar-test' './calendar-test', 'remotesyncanchor:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lastsync:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lasttoremotesync:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lasttoremotesyncid:1 [DEBUG 00:00:01] @default/calendar-test: resumealertcode:0 [DEBUG 00:00:01] @default/calendar-test: lastsuspend:20121021T203735Z [DEBUG 00:00:01] @default/calendar-test: lastsuspendid: [DEBUG 00:00:01] @default/calendar-test: partialitemstate:0 [DEBUG 00:00:01] @default/calendar-test: lastitemstatus:0 [DEBUG 00:00:01] @default/calendar-test: lastsourceURI: [DEBUG 00:00:01] @default/calendar-test: lasttargetURI: [DEBUG 00:00:01] @default/calendar-test: totalsize:0 [DEBUG 00:00:01] @default/calendar-test: unconfirmedsize:0 [DEBUG 00:00:01] @default/calendar-test: storedsize:0 [DEBUG 00:00:01] @default/calendar-test: stored;BLOBID=PIStored [DEBUG 00:00:01] @default/calendar-test: ' res=0 [DEBUG 00:00:01] @default/calendar-test: ReadNextMapItem '20121020T202419Z-13766-1000-1-15@bigbox-rid' + 1 = '(null)' + 0 first=yes res=1 [DEBUG 00:00:01] @default/calendar-test: ReadNextMapItem '20121020T232742Z-11041-1000-2444-0@ideabox-rid' + 1 = '(null)' + 0 first=no res=1 [DEBUG 00:00:01] @default/calendar-test: ReadNextMapItem '20121020T233341Z-11041-1000-2444-44@ideabox-rid' + 1 = '20121020T233341Z-11041-1000-2444-44@ideabox.ics' + 0 first=no res=1 [DEBUG 00:00:01] @default/calendar-test: ReadNextMapItem '(none)' + 0 = '(none)' + 0 first=no res=0 [DEBUG 00:00:01] waiting for child to send message [DEBUG @radicale-cb 00:00:01] local transport: waiting for next message [DEBUG @radicale-cb 00:00:01] local transport: waiting for next message [DEBUG @radicale-cb 00:00:01] local transport: waiting for next message [DEBUG @radicale-cb 00:00:01] child got message of 3347 bytes [DEBUG @radicale-cb 00:00:01] processing 3347 bytes in child [INFO @radicale-cb 00:00:01] @radicale-cb/calendar-test: starting normal sync, two-way (peer is server) [DEBUG @radicale-cb 00:00:01] 'calendar-test' dev='anydevice' usr='singleuser' err=0 [DEBUG @radicale-cb 00:00:01] FilterSupport staticfilter: [DEBUG @radicale-cb 00:00:01] dynamicfilter: [DEBUG @radicale-cb 00:00:01] invisiblefilter: [DEBUG @radicale-cb 00:00:01] using libneon neon 0.29.6: Library build, IPv6, libxml 2.7.8, zlib 1.2.3.4, GNU TLS 2.10.5. with SSL, ZLIB, IPV6, TS_SSL, I18N HTTP session to http://${URL}:80 begins. [DEBUG @radicale-cb 00:00:01] using libneon neon 0.29.6: Library build, IPv6, libxml 2.7.8, zlib 1.2.3.4, GNU TLS 2.10.5. with SSL, ZLIB, IPV6, TS_SSL, I18N [DEBUG @radicale-cb 00:00:01] starting PROPFIND, credentials unverified, deadline in 300,0s ah_create, for WWW-Authenticate Running pre_send hooks Sending request headers: PROPFIND /muelli/test/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: ${URL} Depth: 0 Content-Length: 137 Content-Type: application/xml Authorization: xxxxxxxxxx Sending request-line and headers: Doing DNS lookup on ${URL}... [DEBUG @radicale-cb 00:00:01] forced sending credentials req: Connecting to ip.ip.ip.ip:80 Sending request body: Body block (137 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getctag xmlns="http://calendarserver.org/ns/"/> </prop></propfind> ] Request sent; retry is 0. [status-line] < HTTP/1.1 401 Authorization Required [hdr] Date: Sun, 21 Oct 2012 20:38:59 GMT Header Name: [date], Value: [Sun, 21 Oct 2012 20:38:59 GMT] [hdr] Server: Apache Header Name: [server], Value: [Apache] [hdr] WWW-Authenticate: Digest realm="calendar", nonce="R6kEupfMBAA=e21fd306a0efcdd6e95638d5430255be819eaa95", algorithm=MD5, domain="calendar", qop="auth" Header Name: [www-authenticate], Value: [Digest realm="calendar", nonce="R6kEupfMBAA=e21fd306a0efcdd6e95638d5430255be819eaa95", algorithm=MD5, domain="calendar", qop="auth"] [hdr] Content-Length: 476 Header Name: [content-length], Value: [476] [hdr] Keep-Alive: timeout=15, max=100 Header Name: [keep-alive], Value: [timeout=15, max=100] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/html; charset=iso-8859-1 Header Name: [content-type], Value: [text/html; charset=iso-8859-1] [hdr] End of headers. Running post_headers hooks Reading 476 bytes of response body. Got 476 bytes. Read block (476 bytes): [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache Server at ${URL} Port 80</address> </body></html> ] Running post_send hooks ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest realm="calendar", nonce="R6kEupfMBAA=e21fd306a0efcdd6e95638d5430255be819eaa95", algorithm=MD5, domain="calendar", qop="auth" auth: Got challenge (code 401). auth: Got 'Digest' challenge. auth: Trying Digest challenge... auth: Using domain /calendar from calendar auth: Got qop, using 2617-style. auth: H(A1) is [106348b5f532106259673842cc2920e5] auth: Accepting digest challenge. auth: Accepted Digest challenge. Running pre_send hooks [DEBUG @radicale-cb 00:00:01] retry request with credentials auth: '/muelli/test/' is inside auth domain: 0. Sending request headers: PROPFIND /muelli/test/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: ${URL} Depth: 0 Content-Length: 137 Content-Type: application/xml Sending request-line and headers: Sending request body: Body block (137 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getctag xmlns="http://calendarserver.org/ns/"/> </prop></propfind> ] Request sent; retry is 1. [status-line] < HTTP/1.1 401 Authorization Required [hdr] Date: Sun, 21 Oct 2012 20:38:59 GMT Header Name: [date], Value: [Sun, 21 Oct 2012 20:38:59 GMT] [hdr] Server: Apache Header Name: [server], Value: [Apache] [hdr] WWW-Authenticate: Digest realm="calendar", nonce="HSkFupfMBAA=be11d594e9d80d4dadf1c9e8acff1930cc937623", algorithm=MD5, domain="calendar", qop="auth" Header Name: [www-authenticate], Value: [Digest realm="calendar", nonce="HSkFupfMBAA=be11d594e9d80d4dadf1c9e8acff1930cc937623", algorithm=MD5, domain="calendar", qop="auth"] [hdr] Content-Length: 476 Header Name: [content-length], Value: [476] [hdr] Keep-Alive: timeout=15, max=99 Header Name: [keep-alive], Value: [timeout=15, max=99] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/html; charset=iso-8859-1 Header Name: [content-type], Value: [text/html; charset=iso-8859-1] [hdr] End of headers. Running post_headers hooks Reading 476 bytes of response body. Got 476 bytes. Read block (476 bytes): [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache Server at ${URL} Port 80</address> </body></html> ] Running post_send hooks ah_post_send (#1), code is 401 (want 401), WWW-Authenticate is Digest realm="calendar", nonce="HSkFupfMBAA=be11d594e9d80d4dadf1c9e8acff1930cc937623", algorithm=MD5, domain="calendar", qop="auth" auth: Got challenge (code 401). auth: Got 'Digest' challenge. auth: Trying Digest challenge... auth: Using domain /calendar from calendar auth: No challenges accepted. Request ends, status 401 class 4xx, error line: Could not authenticate to server: rejected Digest challenge [DEBUG @radicale-cb 00:00:01] credential error, no success with them before => report it [DEBUG @radicale-cb 00:00:01] PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge, must not retry [DEBUG @radicale-cb 00:00:01] credentials rejected Running destroy hooks. Request ends. [DEBUG @radicale-cb 00:00:01] exception thrown at /data/runtests/work/sources/syncevolution/src/backends/webdav/NeonCXX.cpp:719 [ERROR @radicale-cb 00:00:01] error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge [DEBUG @radicale-cb 00:00:01] StartDataRead last='1' resume='1' res=401 [DEBUG @radicale-cb 00:00:01] DeleteContext [INFO @radicale-cb 00:00:01] @radicale-cb/calendar-test: normal sync done unsuccessfully [ERROR @radicale-cb 00:00:01] authorization failed (local, status 10401) [ERROR @radicale-cb 00:00:01] error code from Synthesis engine authorization failed (local, status 10401) [DEBUG @radicale-cb 00:00:01] aborting after catching fatal error [DEBUG @radicale-cb 00:00:01] SuspendFlags: deactivating fds 13->12 [DEBUG @radicale-cb 00:00:01] SuspendFlags: close m_receiverFD 12 [DEBUG @radicale-cb 00:00:01] SuspendFlags: close m_senderFD 13 [DEBUG @radicale-cb 00:00:01] SuspendFlags: done with deactivation [DEBUG @radicale-cb 00:00:01] Module_DeleteContext calendar-test [DEBUG @radicale-cb 00:00:01] removing /home/muelli/.cache/syncevolution/target_+config@radicale_+cb-2012-10-21-02-57-a [DEBUG @radicale-cb 00:00:01] child sending sync report: [DEBUG @radicale-cb 00:00:01] end = 1350851939 [DEBUG @radicale-cb 00:00:01] error = error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge [DEBUG @radicale-cb 00:00:01] source-calendar_+test-backup-after = -1 [DEBUG @radicale-cb 00:00:01] source-calendar_+test-backup-before = -1 [DEBUG @radicale-cb 00:00:01] source-calendar_+test-first = false [DEBUG @radicale-cb 00:00:01] source-calendar_+test-mode = two-way [DEBUG @radicale-cb 00:00:01] source-calendar_+test-resume = false [DEBUG @radicale-cb 00:00:01] source-calendar_+test-status = 10401 [DEBUG @radicale-cb 00:00:01] start = 1350851938 [DEBUG @radicale-cb 00:00:01] status = 10401 [DEBUG 00:00:01] got child sync report: [DEBUG 00:00:01] end = 1350851939 [DEBUG 00:00:01] error = error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge [DEBUG 00:00:01] source-calendar_+test-backup-after = -1 [DEBUG 00:00:01] source-calendar_+test-backup-before = -1 [DEBUG 00:00:01] source-calendar_+test-first = false [DEBUG 00:00:01] source-calendar_+test-mode = two-way [DEBUG 00:00:01] source-calendar_+test-resume = false [DEBUG 00:00:01] source-calendar_+test-status = 10401 [DEBUG 00:00:01] start = 1350851938 [DEBUG 00:00:01] status = 10401 [DEBUG @radicale-cb 00:00:01] local transport: waiting for parent's ACK for sync report [DEBUG @radicale-cb 00:00:01] local transport: waiting for parent's ACK for sync report [DEBUG @radicale-cb 00:00:01] local transport: waiting for parent's ACK for sync report [DEBUG @radicale-cb 00:00:01] sending sync report to parent: done sess: Destroying session. [DEBUG 00:00:01] child process has quit with status 0 [DEBUG 00:00:01] waiting for child to send message [DEBUG 00:00:01] exception thrown at /data/runtests/work/sources/syncevolution/src/syncevo/LocalTransportAgent.cpp:404 [ERROR 00:00:01] error code from SyncEvolution authorization failed (local, status 10401): failure on target side @radicale-cb of local sync: PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge [DEBUG 00:00:01] aborting after catching fatal error [DEBUG 00:00:01] @default/calendar-test: SaveAdminData 'remotesyncanchor:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lastsync:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lasttoremotesync:20121020T233352Z [DEBUG 00:00:01] @default/calendar-test: lasttoremotesyncid:1 [DEBUG 00:00:01] @default/calendar-test: resumealertcode:0 [DEBUG 00:00:01] @default/calendar-test: lastsuspend:20121021T203859Z [DEBUG 00:00:01] @default/calendar-test: lastsuspendid: [DEBUG 00:00:01] @default/calendar-test: partialitemstate:0 [DEBUG 00:00:01] @default/calendar-test: lastitemstatus:0 [DEBUG 00:00:01] @default/calendar-test: lastsourceURI: [DEBUG 00:00:01] @default/calendar-test: lasttargetURI: [DEBUG 00:00:01] @default/calendar-test: totalsize:0 [DEBUG 00:00:01] @default/calendar-test: unconfirmedsize:0 [DEBUG 00:00:01] @default/calendar-test: storedsize:0 [DEBUG 00:00:01] @default/calendar-test: stored;BLOBID=PIStored [DEBUG 00:00:01] @default/calendar-test: ' res=0 [DEBUG 00:00:01] @default/calendar-test: DeleteBlob aID=(,) aBlobID=(PIStored) res=0 [INFO 00:00:01] @default/calendar-test: inactive [ERROR 00:00:01] @default/calendar-test: aborted on behalf of user (local, status 20017) [DEBUG 00:00:01] @default/calendar-test: DeleteContext [DEBUG 00:00:01] @default/calendar-test: DeleteContext [DEBUG 00:00:01] SuspendFlags: deactivating fds 10->9 [DEBUG 00:00:01] SuspendFlags: close m_receiverFD 9 [DEBUG 00:00:01] SuspendFlags: close m_senderFD 10 [DEBUG 00:00:01] SuspendFlags: done with deactivation [DEBUG 00:00:01] Module_DeleteContext calendar-test [DEBUG 00:00:01] Module_DeleteContext calendar-test [DEBUG 00:00:01] Module_DeleteContext 'session' [INFO 00:00:01] creating complete data backup after sync (enabled with dumpData and needed for printChanges) [DEBUG 00:00:01] removing /home/muelli/.cache/syncevolution/radicale-2012-10-21-22-37 Funnily enough, I can't grep for my password in ~/.config/syncevolution. Although I set things up like: syncevolution --configure --template webdav username=user2 password=pw2 syncURL=http://foo/muelli/test/ target-radicale@cb The only file that carried my username ~/.config/syncevolution/cb/peers/target-radicale/config.ini and it had the password set to "-". I put my password there manually, but to no avail.
(In reply to comment #3) > I just made Apache enforce digest auth, i.e. > http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html > > Sending Basic Auth proactively is not very nice, because you blow the > password in plain text into the Internet. And in fact I tried setting up > Digest Auth primarily to prevent my credentials being posted as plaintext. The rationale was that no-one would ever use WebDAV over an unencrypted channel, because otherwise the equally sensitive private data would be visible to eavedroppers. Do you use https? Sending the credentials in advance could (should?!) be limited to https. > >- The server sends a permanent error, instead of > > asking for some other way of authentication. > hm. The logs indicate the server returning a 401 Authorization needed along > with a WWW-Authenticate header, as opposed to a 403. > > So if I read the logs correctly and got the semantics of HTTP right, then I > think your hypothesis is wrong. You are right. > Running post_send hooks > ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest > realm="calendar", > nonce="R6kEupfMBAA=e21fd306a0efcdd6e95638d5430255be819eaa95", algorithm=MD5, > domain="calendar", qop="auth" > auth: Got challenge (code 401). > auth: Got 'Digest' challenge. > auth: Trying Digest challenge... > auth: Using domain /calendar from calendar > auth: Got qop, using 2617-style. > auth: H(A1) is [106348b5f532106259673842cc2920e5] > auth: Accepting digest challenge. > auth: Accepted Digest challenge. > Running pre_send hooks > [DEBUG @radicale-cb 00:00:01] retry request with credentials > auth: '/muelli/test/' is inside auth domain: 0. > Sending request headers: > PROPFIND /muelli/test/ HTTP/1.1 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Host: ${URL} > Depth: 0 > Content-Length: 137 > Content-Type: application/xml Hmm, somehow libneon doesn't include credentials in the request header here, despite recognizing the challenge (the "auth" output is from libneon). I'm out of ideas. Can you recompile from source with the Basic authentication disabled? In Neon.cpp, comment out the content of Session::forceAuthorization(). In the meantime I'll try to reproduce this with my own setup of Apache+DAViCal. > Funnily enough, I can't grep for my password in ~/.config/syncevolution. > Although I set things up like: > syncevolution --configure --template webdav username=user2 password=pw2 > syncURL=http://foo/muelli/test/ target-radicale@cb It was stored in a more secure keyring. See the "keyring" property for an explanation.
(In reply to comment #4) > The rationale was that no-one would ever use WebDAV over an unencrypted > channel, because otherwise the equally sensitive private data would be > visible to eavedroppers. > That's a bold assumption. If your usecase doesn't follow a Bell LaPadula security model but rather Biba, then you don't mind exposing the content but the credentials to set the content. Think announcements. I don't mind everyone reading public announcements I store via CalDAV, but I don't want everyone to be able to set or alter these. > Do you use https? > No. Not just yet. I was going step by step. > Sending the credentials in advance could (should?!) be limited to https. > Hm. Maybe. I see usecases for sending credentials besides the server being okay with no credentials. I.e. the announcements scenario where it's perfectly fine to read a calendar, but if you are authorized, you get a different calendar. > I'm out of ideas. Can you recompile from source with the Basic > authentication disabled? yes. Give me a couple of days and feel free to nag me. > In the meantime I'll try to reproduce this with my own setup of > Apache+DAViCal. > Note that Apache is enough. In fact, any webserver that requires Digest Auth should do. I haven't checked whether there is a simple Python implementation but there should be one.
Note to self: when telling DAViCal to use Digest authentication according to http://wiki.davical.org/w/Configuration/settings/http_auth_mode, then it will still accept and use Basic authentication when SyncEvolution pro-actively includes the Basic auth header. The reason is apparently this check in /usr/share/davical/inc/HTTPAuthSession.php: function HTTPAuthSession() { global $c; if ( ! empty($_SERVER['PHP_AUTH_DIGEST'])) { $this->DigestAuthSession(); } => else if ( isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER["AUTHORIZATION"]) ) { => $this->BasicAuthSession(); } else if ( isset($c->http_auth_mode) && $c->http_auth_mode == "Digest" ) { $this->DigestAuthSession(); } else { $this->BasicAuthSession(); } } PHP_AUTH_USER is set and thus DAViCal never checks the http_auth_mode. Looks like a bug in DAViCal to me. After patching the code and resetting the password in the SQL database to plain text (required by Digest mode in DAViCal), I got the expected behavior: - Authentication: Basic sent by SyncEvolution - Rejected by DAViCal. - SyncEvolution sends request again with Digest authentication. - Request succeeds. Here's the log: $ SYNCEVOLUTION_DEBUG=1 ./syncevolution --daemon=no --print-items loglevel=20 target-config@client-test-davical carddav [DEBUG 00:00:00] Mon 2012-11-05 07:50:21 UTC = 07:50 +0000 UTC [DEBUG 00:00:00] using libneon neon 0.29.6: Library build, IPv6, libxml 2.7.8, zlib 1.2.6, GNU TLS 2.12.18. with SSL, ZLIB, IPV6, TS_SSL, I18N HTTP session to http://localhost:8009 begins. [DEBUG 00:00:00] carddav: slow sync or testing, do full item scan to detect changes [DEBUG 00:00:00] using libneon neon 0.29.6: Library build, IPv6, libxml 2.7.8, zlib 1.2.6, GNU TLS 2.12.18. with SSL, ZLIB, IPV6, TS_SSL, I18N [DEBUG 00:00:00] starting PROPFIND, credentials unverified, deadline in 120.0s ah_create, for WWW-Authenticate Running pre_send hooks [DEBUG 00:00:00] forced sending credentials Sending request headers: PROPFIND /caldav.php/test/addresses/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: localhost:8009 Depth: 1 Content-Length: 141 Content-Type: application/xml Authorization: Basic dGVzdDp0ZXN0aW5n Sending request-line and headers: Doing DNS lookup on localhost... req: Connecting to 127.0.0.1:8009 Sending request body: Body block (141 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getetag xmlns="DAV:"/> <resourcetype xmlns="DAV:"/> </prop></propfind> ] Request sent; retry is 0. [status-line] < HTTP/1.1 401 Unauthorized [hdr] Date: Mon, 05 Nov 2012 07:50:21 GMT Header Name: [date], Value: [Mon, 05 Nov 2012 07:50:21 GMT] [hdr] Server: Apache/2.2.22 (Linux/SUSE) Header Name: [server], Value: [Apache/2.2.22 (Linux/SUSE)] [hdr] X-Powered-By: PHP/5.3.15 Header Name: [x-powered-by], Value: [PHP/5.3.15] [hdr] WWW-Authenticate: Digest realm="DAViCal CalDAV Server", qop="auth", nonce="7427c1c260c7f1e2293e3f2a7440ffa41b81 84c2", opaque="32d4d9c8c17aa5cf5347d64a2a5d312a1fde4133", algorithm="MD5" Header Name: [www-authenticate], Value: [Digest realm="DAViCal CalDAV Server", qop="auth", nonce="7427c1c260c7f1e2293 e3f2a7440ffa41b8184c2", opaque="32d4d9c8c17aa5cf5347d64a2a5d312a1fde4133", algorithm="MD5"] [hdr] Content-Length: 40 Header Name: [content-length], Value: [40] [hdr] Keep-Alive: timeout=15, max=100 Header Name: [keep-alive], Value: [timeout=15, max=100] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/plain; ; charset="utf-8" Header Name: [content-type], Value: [text/plain; ; charset="utf-8"] [hdr] End of headers. Running post_headers hooks Reading 40 bytes of response body. Got 40 bytes. Read block (40 bytes): [Please log in for access to this system.] Running post_send hooks ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest realm="DAViCal CalDAV Server", qop="auth", nonc e="7427c1c260c7f1e2293e3f2a7440ffa41b8184c2", opaque="32d4d9c8c17aa5cf5347d64a2a5d312a1fde4133", algorithm="MD5" auth: Got challenge (code 401). auth: Got 'Digest' challenge. auth: Trying Digest challenge... [DEBUG 00:00:00] retry request with credentials auth: Got qop, using 2617-style. auth: H(A1) is [40781b661e9b4d5c3b5dc047702bc85f] auth: Accepting digest challenge. auth: Accepted Digest challenge. Running pre_send hooks auth: Sending 'Digest' response. auth: H(A2): c8eb1df0ed987f0b02cfb56bc50d24a3 Sending request headers: PROPFIND /caldav.php/test/addresses/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: localhost:8009 Depth: 1 Content-Length: 141 Content-Type: application/xml Authorization: Digest username="test", realm="DAViCal CalDAV Server", nonce="7427c1c260c7f1e2293e3f2a7440ffa41b8184c2", uri="/caldav.php/test/addresses/", response="6325f0294db875783c839afde5817b6f", algorithm="MD5", opaque="32d4d9c8c17aa5cf5347d64a2a5d312a1fde4133", cnonce="ef2665b2a91f6f6e160011b8d028a267", nc=00000001, qop="auth" Sending request-line and headers: Sending request body: Body block (141 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getetag xmlns="DAV:"/> <resourcetype xmlns="DAV:"/> </prop></propfind> ] Request sent; retry is 1. [status-line] < HTTP/1.1 207 Multi-Status [hdr] Date: Mon, 05 Nov 2012 07:50:21 GMT Header Name: [date], Value: [Mon, 05 Nov 2012 07:50:21 GMT] [hdr] Server: Apache/2.2.22 (Linux/SUSE) Header Name: [server], Value: [Apache/2.2.22 (Linux/SUSE)] [hdr] X-Powered-By: PHP/5.3.15 Header Name: [x-powered-by], Value: [PHP/5.3.15] [hdr] DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule Header Name: [dav], Value: [1, 2, 3, access-control, calendar-access, calendar-schedule] [hdr] DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy Header Name: [dav], Value: [extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy] [hdr] ETag: "7a2f62379f0797dc9d59ebaf58982267" Header Name: [etag], Value: ["7a2f62379f0797dc9d59ebaf58982267"] [hdr] X-DAViCal-Version: DAViCal/1.1.1; DB/1.2.11 Header Name: [x-davical-version], Value: [DAViCal/1.1.1; DB/1.2.11] [hdr] Content-Length: 5321 Header Name: [content-length], Value: [5321] [hdr] Keep-Alive: timeout=15, max=99 Header Name: [keep-alive], Value: [timeout=15, max=99] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/xml; charset="utf-8" Header Name: [content-type], Value: [text/xml; charset="utf-8"] [hdr] End of headers. Running post_headers hooks Reading 5321 bytes of response body. Got 3616 bytes. Read block (3616 bytes): [<?xml version="1.0" encoding="utf-8" ?> <multistatus xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"> <response> <href>/caldav.php/test/addresses/</href> <propstat> <prop> <resourcetype> <collection/> <C:addressbook/> </resourcetype> </prop> <status>HTTP/1.1 200 OK</status> ... In other words, I cannot reproduce the problem yet. I'll try the Apache + Radicale combination next.
(In reply to comment #3) > I just made Apache enforce digest auth, i.e. > http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html Can you describe the actual setup in more detail? Do you use Apache as proxy for Radicale? Do you have any authentication enabled in Radicale itself?
(In reply to comment #7) > (In reply to comment #3) > > I just made Apache enforce digest auth, i.e. > > http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html > > Can you describe the actual setup in more detail? Do you use Apache as proxy > for Radicale? Do you have any authentication enabled in Radicale itself? Hm. So I did a few tests. I was looking for a lightweight server, preferably something without much installation and all, but I failed to find something. The most promising approach seemed to be cyclone followed by Twisted Web. There is "quickserve" as a haskell program. Not gonna work. And there is a Python "quickserve" but it has awkward dependencies and is not installable via standard mechanisms. SyncEvolution seems to work with Twisted Web and digest auth like so: pip install -E /tmp/twisted Twisted cat > /tmp/digestauth.rpy <<EOF cache() from zope.interface import implements from twisted.cred.portal import IRealm, Portal from twisted.cred.checkers import FilePasswordDB, InMemoryUsernamePasswordDatabaseDontUse from twisted.web.static import File from twisted.web.guard import HTTPAuthSessionWrapper, DigestCredentialFactory, BasicCredentialFactory class PublicHTMLRealm(object): implements(IRealm) def requestAvatar(self, avatarId, mind, *interfaces): return "foo" im = InMemoryUsernamePasswordDatabaseDontUse(foo='bar', user1='pw1') #im.addUser('foo','bar') portal = Portal(PublicHTMLRealm(), [im]) #portal = Portal(PublicHTMLRealm(), [FilePasswordDB('httpd.password')]) credentialFactory = DigestCredentialFactory("md5", "localhost:8080") #credentialFactory = BasicCredentialFactory("realm") resource = HTTPAuthSessionWrapper(portal, [credentialFactory]) EOF /tmp/twisted/bin/twistd -n web --path /tmp/ Then configure SyncEvolution like in bug 56263 but with URL=http://localhost:8080/digestauth.rpy/ It will work, i.e. 401 isn't returned, but 500 or so, which is due to the handler crashing somewhere, but after authorization. However, with Apache, it doesn't work. My setup is very simple and doesn't involve Radicale (or anything else, really), at all. The Apache config file is: <VirtualHost *:80> AddDefaultCharset UTF-8 ServerAdmin admin@foo.de DocumentRoot /var/empty/ ServerName caltest.foo.de <Location /> ## Digest auth doesn't work with SyncEvolution nor Evolution :-( There are bugs about that ## One Android Client seems to handle that well though AuthType Digest AuthName "calendar" AuthDigestDomain calendar AuthDigestProvider file AuthUserFile /tmp/radicale.passwd #AuthType Basic #AuthName "Radicale Authentication" #AuthBasicProvider file #AuthUserFile /tmp/radicale.passwd Require valid-user </Location> <Directory /var/empty/> Allow from all Options FollowSymlinks AllowOverride FileInfo AuthConfig </Directory> </VirtualHost> Then create a user like this: htdigest /path/to/radicale.passwd foo See that it does indeed work: wget --user=foo --password=bar -O- 'http://caltest.foo.de/' And PROPFIND, too: curl --request PROPFIND --anyauth --fail --user foo:bar 'http://caltest.foo.de/' curl: (22) The requested URL returned error: 405 Method Not Allowed Note that 405 is good (we just have not registered a PROPFIND listener and would get 401 if credentials were bad: curl --request PROPFIND --anyauth --fail --user baz:bar 'http://caltest.foo.de/' curl: (22) The requested URL returned error: 401 So somewhere is a problem. I am very hesitating to believe that the Apache HTTPd got the implementation wrong (plus, wget and cURL work). So I don't know why it works with Twisted. But as Apache is likely to be used much more often than Twisted, I feel that it is useful to make SyncEvolution work in that combination.
(In reply to comment #4) > Hmm, somehow libneon doesn't include credentials in the request header here, > despite recognizing the challenge (the "auth" output is from libneon). > > I'm out of ideas. Can you recompile from source with the Basic > authentication disabled? In Neon.cpp, comment out the content of > Session::forceAuthorization(). > I tried. As ./configure --enable-dav --enable-developer-mode --prefix=/tmp/syncevolution/ --with-synthesis-src=git://gitorious.org/libsynthesis/libsynthesis.git failed with: configure: error: need at least libsynthesis >= 3.4.0.16.8; the latest libsynthesis for SyncEvolution is the one from http://meego.gitorious.org/meego-middleware/libsynthesis I tried to ./configure --enable-dav --enable-developer-mode --prefix=/tmp/syncevolution/ --with-synthesis-src=../libsynthesis after having checked it out there. CONFIGURATION SUMMARY Core SyncEvolution: yes activesync: no addressbook: no akonadi: no ebook: yes ecal: yes file: yes kcalextended: no maemocal: no pbap: no qtcontacts: no sqlite: no dav: yes xmlrpc: no DBus service: no org._01.pim support in DBus service: Notifications: GIO GDBus: yes GNOME keyring: yes UI (DBus client): no Bluetooth transport: yes GNOME Bluetooth panel plugin: no SHA-256: glib API documentation: no D-Bus Timeout Hack: yes but after making, ./src/syncevolution fails: $ syncevolution --versionSyncEvolution 1.3.99.1+20121117+SE+f80ff66+unclean (pre-release) Loading backend library /home/muelli/git/syncevolution/src/backends/activesync/.libs/syncactivesync.so Loading backend library /home/muelli/git/syncevolution/src/backends/addressbook/.libs/syncaddressbook.so Loading backend library /home/muelli/git/syncevolution/src/backends/akonadi/.libs/syncakonadi.so Loading backend library /home/muelli/git/syncevolution/src/backends/evolution/.libs/syncebook.so Loading backend library /home/muelli/git/syncevolution/src/backends/evolution/.libs/syncecal.so Loading backend library /home/muelli/git/syncevolution/src/backends/file/.libs/syncfile.so Loading backend library /home/muelli/git/syncevolution/src/backends/gnome/.libs/platformgnome.so Loading backend library /home/muelli/git/syncevolution/src/backends/kcalextended/.libs/synckcalextended.so Loading backend library /home/muelli/git/syncevolution/src/backends/kde/.libs/platformkde.so Loading backend library /home/muelli/git/syncevolution/src/backends/maemo/.libs/syncmaemocal.so Loading backend library /home/muelli/git/syncevolution/src/backends/pbap/.libs/syncpbap.so Loading backend library /home/muelli/git/syncevolution/src/backends/qtcontacts/.libs/syncqtcontacts.so Loading backend library /home/muelli/git/syncevolution/src/backends/sqlite/.libs/syncsqlite.so Loading backend library /home/muelli/git/syncevolution/src/backends/webdav/.libs/syncdav.so Loading backend library /home/muelli/git/syncevolution/src/backends/xmlrpc/.libs/syncxmlrpc.so $ syncevolution --daemon=no --configure --template webdav username=user1 password=pw1 syncURL=${URL} target-config@radicale [ERROR] No configuration template for 'webdav' available. [INFO] All relevant properties seem to be set, omit the --template parameter to proceed. [INFO] [INFO] Available configuration templates (clients and servers): [INFO] template name = template description [INFO] none After having it make installed, it worked better, though. But with my patch: commit f80ff66d2ae9a93808f22fa8bb1c90170a92d68b Author: Tobias Mueller <tobiasmue@gnome.org> Date: Sat Nov 17 04:29:38 2012 +0100 unforce authorization diff --git a/src/backends/webdav/NeonCXX.cpp b/src/backends/webdav/NeonCXX.cpp index 26a6ea5..62db8dd 100644 --- a/src/backends/webdav/NeonCXX.cpp +++ b/src/backends/webdav/NeonCXX.cpp @@ -316,9 +316,10 @@ int Session::getCredentials(void *userdata, const char *realm, int attempt, ch void Session::forceAuthorization(const std::string &username, const std::string &password) { - m_forceAuthorizationOnce = true; +/* m_forceAuthorizationOnce = true; m_forceUsername = username; m_forcePassword = password; +*/ } void Session::preSendHook(ne_request *req, void *userdata, ne_buffer *header) throw() it doesn't authenticate properly: $ SYNCEVOLUTION_DEBUG=1 syncevolution --daemon=no loglevel=4 --run target-config@radicale cards1 [DEBUG 00:00:00] Sat 2012-11-17 04:01:49 UTC = 05:01 +0100 CET [DEVELOPER 00:00:00] SyncML server account: user1 [DEVELOPER 00:00:00] client: SyncEvolution 1.3.99.1+20121117+SE+f80ff66+unclean for workstation [DEVELOPER 00:00:00] device ID: syncevolution-3e6db3aa-82f0-4f47-bb4f-63d0c9f7d2df [DEVELOPER 00:00:00] [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends/ [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//activesync/.libs [DEVELOPER 00:00:00] Loading backend library syncactivesync.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//addressbook/.libs [DEVELOPER 00:00:00] Loading backend library syncaddressbook.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//akonadi/.libs [DEVELOPER 00:00:00] Loading backend library syncakonadi.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//evolution/.libs [DEVELOPER 00:00:00] Loading backend library syncebook.so [DEVELOPER 00:00:00] Loading backend library syncecal.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//file/.libs [DEVELOPER 00:00:00] Loading backend library syncfile.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//gnome/.libs [DEVELOPER 00:00:00] Loading backend library platformgnome.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//kcalextended/.libs [DEVELOPER 00:00:00] Loading backend library synckcalextended.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//kde/.libs [DEVELOPER 00:00:00] Loading backend library platformkde.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//maemo/.libs [DEVELOPER 00:00:00] Loading backend library syncmaemocal.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//pbap/.libs [DEVELOPER 00:00:00] Loading backend library syncpbap.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//qtcontacts/.libs [DEVELOPER 00:00:00] Loading backend library syncqtcontacts.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//sqlite/.libs [DEVELOPER 00:00:00] Loading backend library syncsqlite.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//webdav/.libs [DEVELOPER 00:00:00] Loading backend library syncdav.so [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//xmlrpc/.libs [DEVELOPER 00:00:00] Loading backend library syncxmlrpc.so [INFO 00:00:00] addressbook: inactive [INFO 00:00:00] calendar: inactive [INFO 00:00:00] calendar1: inactive [INFO 00:00:00] memo: inactive [INFO 00:00:00] todo: inactive [DEBUG 00:00:00] checking sync password syncURL [DEBUG 00:00:00] checking sync password username [DEBUG 00:00:00] checking sync password password [DEBUG 00:00:00] checking sync password logdir [DEBUG 00:00:00] checking sync password loglevel [DEBUG 00:00:00] checking sync password notifyLevel [DEBUG 00:00:00] checking sync password printChanges [DEBUG 00:00:00] checking sync password dumpData [DEBUG 00:00:00] checking sync password maxlogdirs [DEBUG 00:00:00] checking sync password autoSync [DEBUG 00:00:00] checking sync password autoSyncInterval [DEBUG 00:00:00] checking sync password autoSyncDelay [DEBUG 00:00:00] checking sync password preventSlowSync [DEBUG 00:00:00] checking sync password useProxy [DEBUG 00:00:00] checking sync password proxyHost [DEBUG 00:00:00] checking sync password proxyUsername [DEBUG 00:00:00] checking sync password proxyPassword [DEBUG 00:00:00] checking sync password clientAuthType [DEBUG 00:00:00] checking sync password RetryDuration [DEBUG 00:00:00] checking sync password RetryInterval [DEBUG 00:00:00] checking sync password remoteIdentifier [DEBUG 00:00:00] checking sync password PeerIsClient [DEBUG 00:00:00] checking sync password SyncMLVersion [DEBUG 00:00:00] checking sync password PeerName [DEBUG 00:00:00] checking sync password deviceId [DEBUG 00:00:00] checking sync password remoteDeviceId [DEBUG 00:00:00] checking sync password enableWBXML [DEBUG 00:00:00] checking sync password enableRefreshSync [DEBUG 00:00:00] checking sync password maxMsgSize [DEBUG 00:00:00] checking sync password maxObjSize [DEBUG 00:00:00] checking sync password SSLServerCertificates [DEBUG 00:00:00] checking sync password SSLVerifyServer [DEBUG 00:00:00] checking sync password SSLVerifyHost [DEBUG 00:00:00] checking sync password WebURL [DEBUG 00:00:00] checking sync password IconURI [DEBUG 00:00:00] checking sync password ConsumerReady [DEBUG 00:00:00] checking sync password peerType [DEBUG 00:00:00] checking sync password HashCode [DEBUG 00:00:00] checking sync password ConfigDate [DEBUG 00:00:00] checking sync password lastNonce [DEBUG 00:00:00] checking sync password deviceData [DEBUG 00:00:00] checking sync password defaultPeer [DEBUG 00:00:00] checking sync password keyring [DEBUG 00:00:00] checking sync password webDAVCredentialsOkay [DEBUG 00:00:00] checking source cards1 password sync [DEBUG 00:00:00] checking source cards1 password uri [DEBUG 00:00:00] checking source cards1 password backend [DEBUG 00:00:00] checking source cards1 password syncFormat [DEBUG 00:00:00] checking source cards1 password forceSyncFormat [DEBUG 00:00:00] checking source cards1 password database [DEBUG 00:00:00] checking source cards1 password databaseFormat [DEBUG 00:00:00] checking source cards1 password databaseUser [DEBUG 00:00:00] checking source cards1 password databasePassword [DEBUG 00:00:00] checking source cards1 password adminData [DEBUG 00:00:00] checking source cards1 password synthesisID [DEBUG 00:00:00] sync is starting, catch signals [DEBUG 00:00:00] SuspendFlags: (re)activating, currently inactive [DEBUG 00:00:00] SuspendFlags: activating signal handler(s) with fds 7->6 [DEBUG 00:00:00] SuspendFlags: catch SIGINT [DEBUG 00:00:00] SuspendFlags: catch SIGTERM [DEBUG 00:00:00] ready to sync [DEBUG 00:00:00] using libneon neon 0.29.6: Library build, IPv6, Expat 2.0.1, zlib 1.2.5, GNU TLS 2.12.14. with SSL, ZLIB, IPV6, TS_SSL, I18N HTTP session to ${URL}:80 begins. sess: libproxy #0=direct:// [DEBUG 00:00:00] starting PROPFIND, credentials unverified, deadline in 300.0s ah_create, for WWW-Authenticate Running pre_send hooks Sending request headers: PROPFIND /muelli/cards/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: ${URL} Depth: 1 Content-Length: 141 Content-Type: application/xml Sending request-line and headers: Doing DNS lookup on ${URL}... req: Connecting to ip.ip.ip.ip:80 Sending request body: Body block (141 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getetag xmlns="DAV:"/> <resourcetype xmlns="DAV:"/> </prop></propfind> ] Request sent; retry is 0. [status-line] < HTTP/1.1 401 Authorization Required [hdr] Date: Sat, 17 Nov 2012 04:01:49 GMT Header Name: [date], Value: [Sat, 17 Nov 2012 04:01:49 GMT] [hdr] Server: Apache Header Name: [server], Value: [Apache] [hdr] WWW-Authenticate: Digest realm="calendar", nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, domain="calendar", qop="auth" Header Name: [www-authenticate], Value: [Digest realm="calendar", nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, domain="calendar", qop="auth"] [hdr] Content-Length: 480 Header Name: [content-length], Value: [480] [hdr] Keep-Alive: timeout=15, max=100 Header Name: [keep-alive], Value: [timeout=15, max=100] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/html; charset=iso-8859-1 Header Name: [content-type], Value: [text/html; charset=iso-8859-1] [hdr] End of headers. Running post_headers hooks Reading 480 bytes of response body. Got 480 bytes. Read block (480 bytes): [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache Server at ${URL} Port 80</address> </body></html> ] Running post_send hooks ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest realm="calendar", nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, domain="calendar", qop="auth" auth: Got challenge (code 401). auth: Got 'Digest' challenge. auth: Trying Digest challenge... auth: Using domain /calendar from calendar [DEBUG 00:00:00] retry request with credentials auth: Got qop, using 2617-style. auth: H(A1) is [a372f9146dc16960158864aa6b0d93df] auth: Accepting digest challenge. auth: Accepted Digest challenge. Running pre_send hooks auth: Sending 'Digest' response. auth: '/muelli/cards/' is inside auth domain: 0. Sending request headers: PROPFIND /muelli/cards/ HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: ${URL} Depth: 1 Content-Length: 141 Content-Type: application/xml Sending request-line and headers: Sending request body: Body block (141 bytes): [<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getetag xmlns="DAV:"/> <resourcetype xmlns="DAV:"/> </prop></propfind> ] Request sent; retry is 1. [status-line] < HTTP/1.1 401 Authorization Required [hdr] Date: Sat, 17 Nov 2012 04:01:49 GMT Header Name: [date], Value: [Sat, 17 Nov 2012 04:01:49 GMT] [hdr] Server: Apache Header Name: [server], Value: [Apache] [hdr] WWW-Authenticate: Digest realm="calendar", nonce="P32P8ajOBAA=0d53434aa1d5d7b24efb5cfcbde6588602535984", algorithm=MD5, domain="calendar", qop="auth" Header Name: [www-authenticate], Value: [Digest realm="calendar", nonce="P32P8ajOBAA=0d53434aa1d5d7b24efb5cfcbde6588602535984", algorithm=MD5, domain="calendar", qop="auth"] [hdr] Content-Length: 480 Header Name: [content-length], Value: [480] [hdr] Keep-Alive: timeout=15, max=99 Header Name: [keep-alive], Value: [timeout=15, max=99] [hdr] Connection: Keep-Alive Header Name: [connection], Value: [Keep-Alive] [hdr] Content-Type: text/html; charset=iso-8859-1 Header Name: [content-type], Value: [text/html; charset=iso-8859-1] [hdr] End of headers. Running post_headers hooks Reading 480 bytes of response body. Got 480 bytes. Read block (480 bytes): [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache Server at ${URL} Port 80</address> </body></html> ] Running post_send hooks ah_post_send (#1), code is 401 (want 401), WWW-Authenticate is Digest realm="calendar", nonce="P32P8ajOBAA=0d53434aa1d5d7b24efb5cfcbde6588602535984", algorithm=MD5, domain="calendar", qop="auth" auth: Got challenge (code 401). auth: Got 'Digest' challenge. auth: Trying Digest challenge... auth: Using domain /calendar from calendar auth: No challenges accepted. Request ends, status 401 class 4xx, error line: Could not authenticate to server: rejected Digest challenge [DEBUG 00:00:00] credential error, no success with them before => report it [DEBUG 00:00:00] PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge, must not retry [DEBUG 00:00:00] credentials rejected Running destroy hooks. Request ends. [DEBUG 00:00:00] SuspendFlags: deactivating fds 7->6 [DEBUG 00:00:00] SuspendFlags: close m_receiverFD 6 [DEBUG 00:00:00] SuspendFlags: close m_senderFD 7 [DEBUG 00:00:00] SuspendFlags: done with deactivation [DEBUG 00:00:00] exception thrown at src/backends/webdav/NeonCXX.cpp:720 [ERROR 00:00:00] error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge Synchronization failed, see /home/muelli/.cache/syncevolution/target_+config@radicale-2012-11-17-05-01/syncevolution-log.html for details. Changes applied during synchronization: +---------------|-----------------------|-----------------------|-CON-+ | | LOCAL | REMOTE | FLI | | Source | NEW | MOD | DEL | ERR | NEW | MOD | DEL | ERR | CTS | +---------------+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | cards1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | +---------------+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | start Sat Nov 17 05:01:49 2012, duration 0:00min | | authorization failed (remote, status 401) | +---------------+-----+-----+-----+-----+-----+-----+-----+-----+-----+ First ERROR encountered: error code from SyncEvolution authorization failed (remote, status 401): PROPFIND: Neon error code 3 = NE_AUTH, HTTP status 401: Could not authenticate to server: rejected Digest challenge [DEBUG 00:00:00] removing /home/muelli/.cache/syncevolution/target_+config@radicale-2012-11-17-02-38 sess: Destroying session. Just to be very precise: If the login worked, the server would return 403 due to its configuration. But since syncevolution doesn't seem to authenticate properly, the server doesn't authenticate it. $ wget --user=user1 --password=pw1 -O- ${URL} --2012-11-17 05:04:43-- ${URL}/ Resolving Connecting ... connected. HTTP request sent, awaiting response... 401 Authorization Required Reusing existing connection. HTTP request sent, awaiting response... 403 Forbidden 2012-11-17 05:04:43 ERROR 403: Forbidden. Interestingly, it loads stuff from the build directory: [DEVELOPER 00:00:00] Scanning backend libraries in /home/muelli/git/syncevolution/src/backends//xmlrpc/.libs although I installed it. Weird. $ type -a syncevolution syncevolution is /tmp/syncevolution/bin/syncevolution syncevolution is /home/muelli/git/syncevolution/src/syncevolution syncevolution is /usr/bin/syncevolution syncevolution is /bin/syncevolution
(In reply to comment #9) > (In reply to comment #4) > > Hmm, somehow libneon doesn't include credentials in the request header here, > > despite recognizing the challenge (the "auth" output is from libneon). > > > > I'm out of ideas. Can you recompile from source with the Basic > > authentication disabled? In Neon.cpp, comment out the content of > > Session::forceAuthorization(). > > > > > > I tried. As > ./configure --enable-dav --enable-developer-mode > --prefix=/tmp/syncevolution/ > --with-synthesis-src=git://gitorious.org/libsynthesis/libsynthesis.git > > failed with: configure: error: need at least libsynthesis >= 3.4.0.16.8; the > latest libsynthesis for SyncEvolution is the one from > http://meego.gitorious.org/meego-middleware/libsynthesis That error message is incorrect. The latest source is on freedesktop.org, just like SyncEvolution itself: http://cgit.freedesktop.org/SyncEvolution/libsynthesis > but after making, ./src/syncevolution fails: [...] > $ syncevolution --daemon=no --configure --template webdav > username=user1 password=pw1 syncURL=${URL} > target-config@radicale > [ERROR] No configuration template for 'webdav' available. [...] > After having it make installed, it worked better, though. Exactly. The templates are only found at the path compiled into the binaries, or at the location specified via env variables (see end of README). They are not found in the source tree. > But with my patch: > > commit f80ff66d2ae9a93808f22fa8bb1c90170a92d68b > Author: Tobias Mueller <tobiasmue@gnome.org> > Date: Sat Nov 17 04:29:38 2012 +0100 > > unforce authorization > > diff --git a/src/backends/webdav/NeonCXX.cpp > b/src/backends/webdav/NeonCXX.cpp > index 26a6ea5..62db8dd 100644 > --- a/src/backends/webdav/NeonCXX.cpp > +++ b/src/backends/webdav/NeonCXX.cpp > @@ -316,9 +316,10 @@ int Session::getCredentials(void *userdata, const char > *realm, int attempt, ch > > void Session::forceAuthorization(const std::string &username, const > std::string &password) > { > - m_forceAuthorizationOnce = true; > +/* m_forceAuthorizationOnce = true; > m_forceUsername = username; > m_forcePassword = password; > +*/ > } > > void Session::preSendHook(ne_request *req, void *userdata, ne_buffer > *header) throw() > > > > it doesn't authenticate properly: > > > $ SYNCEVOLUTION_DEBUG=1 syncevolution --daemon=no loglevel=4 --run > target-config@radicale cards1 > [DEBUG 00:00:00] Sat 2012-11-17 04:01:49 UTC = 05:01 +0100 CET > [DEVELOPER 00:00:00] SyncML server account: user1 > [DEVELOPER 00:00:00] client: SyncEvolution > 1.3.99.1+20121117+SE+f80ff66+unclean for workstation > [DEVELOPER 00:00:00] device ID: > syncevolution-3e6db3aa-82f0-4f47-bb4f-63d0c9f7d2df > [DEVELOPER 00:00:00] > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends/ > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//activesync/.libs > [DEVELOPER 00:00:00] Loading backend library syncactivesync.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//addressbook/.libs > [DEVELOPER 00:00:00] Loading backend library syncaddressbook.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//akonadi/.libs > [DEVELOPER 00:00:00] Loading backend library syncakonadi.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//evolution/.libs > [DEVELOPER 00:00:00] Loading backend library syncebook.so > [DEVELOPER 00:00:00] Loading backend library syncecal.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//file/.libs > [DEVELOPER 00:00:00] Loading backend library syncfile.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//gnome/.libs > [DEVELOPER 00:00:00] Loading backend library platformgnome.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//kcalextended/.libs > [DEVELOPER 00:00:00] Loading backend library synckcalextended.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//kde/.libs > [DEVELOPER 00:00:00] Loading backend library platformkde.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//maemo/.libs > [DEVELOPER 00:00:00] Loading backend library syncmaemocal.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//pbap/.libs > [DEVELOPER 00:00:00] Loading backend library syncpbap.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//qtcontacts/.libs > [DEVELOPER 00:00:00] Loading backend library syncqtcontacts.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//sqlite/.libs > [DEVELOPER 00:00:00] Loading backend library syncsqlite.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//webdav/.libs > [DEVELOPER 00:00:00] Loading backend library syncdav.so > [DEVELOPER 00:00:00] Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//xmlrpc/.libs > [DEVELOPER 00:00:00] Loading backend library syncxmlrpc.so > [INFO 00:00:00] addressbook: inactive > [INFO 00:00:00] calendar: inactive > [INFO 00:00:00] calendar1: inactive > [INFO 00:00:00] memo: inactive > [INFO 00:00:00] todo: inactive > [DEBUG 00:00:00] checking sync password syncURL > [DEBUG 00:00:00] checking sync password username > [DEBUG 00:00:00] checking sync password password > [DEBUG 00:00:00] checking sync password logdir > [DEBUG 00:00:00] checking sync password loglevel > [DEBUG 00:00:00] checking sync password notifyLevel > [DEBUG 00:00:00] checking sync password printChanges > [DEBUG 00:00:00] checking sync password dumpData > [DEBUG 00:00:00] checking sync password maxlogdirs > [DEBUG 00:00:00] checking sync password autoSync > [DEBUG 00:00:00] checking sync password autoSyncInterval > [DEBUG 00:00:00] checking sync password autoSyncDelay > [DEBUG 00:00:00] checking sync password preventSlowSync > [DEBUG 00:00:00] checking sync password useProxy > [DEBUG 00:00:00] checking sync password proxyHost > [DEBUG 00:00:00] checking sync password proxyUsername > [DEBUG 00:00:00] checking sync password proxyPassword > [DEBUG 00:00:00] checking sync password clientAuthType > [DEBUG 00:00:00] checking sync password RetryDuration > [DEBUG 00:00:00] checking sync password RetryInterval > [DEBUG 00:00:00] checking sync password remoteIdentifier > [DEBUG 00:00:00] checking sync password PeerIsClient > [DEBUG 00:00:00] checking sync password SyncMLVersion > [DEBUG 00:00:00] checking sync password PeerName > [DEBUG 00:00:00] checking sync password deviceId > [DEBUG 00:00:00] checking sync password remoteDeviceId > [DEBUG 00:00:00] checking sync password enableWBXML > [DEBUG 00:00:00] checking sync password enableRefreshSync > [DEBUG 00:00:00] checking sync password maxMsgSize > [DEBUG 00:00:00] checking sync password maxObjSize > [DEBUG 00:00:00] checking sync password SSLServerCertificates > [DEBUG 00:00:00] checking sync password SSLVerifyServer > [DEBUG 00:00:00] checking sync password SSLVerifyHost > [DEBUG 00:00:00] checking sync password WebURL > [DEBUG 00:00:00] checking sync password IconURI > [DEBUG 00:00:00] checking sync password ConsumerReady > [DEBUG 00:00:00] checking sync password peerType > [DEBUG 00:00:00] checking sync password HashCode > [DEBUG 00:00:00] checking sync password ConfigDate > [DEBUG 00:00:00] checking sync password lastNonce > [DEBUG 00:00:00] checking sync password deviceData > [DEBUG 00:00:00] checking sync password defaultPeer > [DEBUG 00:00:00] checking sync password keyring > [DEBUG 00:00:00] checking sync password webDAVCredentialsOkay > [DEBUG 00:00:00] checking source cards1 password sync > [DEBUG 00:00:00] checking source cards1 password uri > [DEBUG 00:00:00] checking source cards1 password backend > [DEBUG 00:00:00] checking source cards1 password syncFormat > [DEBUG 00:00:00] checking source cards1 password forceSyncFormat > [DEBUG 00:00:00] checking source cards1 password database > [DEBUG 00:00:00] checking source cards1 password databaseFormat > [DEBUG 00:00:00] checking source cards1 password databaseUser > [DEBUG 00:00:00] checking source cards1 password databasePassword > [DEBUG 00:00:00] checking source cards1 password adminData > [DEBUG 00:00:00] checking source cards1 password synthesisID > [DEBUG 00:00:00] sync is starting, catch signals > [DEBUG 00:00:00] SuspendFlags: (re)activating, currently inactive > [DEBUG 00:00:00] SuspendFlags: activating signal handler(s) with fds 7->6 > [DEBUG 00:00:00] SuspendFlags: catch SIGINT > [DEBUG 00:00:00] SuspendFlags: catch SIGTERM > [DEBUG 00:00:00] ready to sync > [DEBUG 00:00:00] using libneon neon 0.29.6: Library build, IPv6, Expat > 2.0.1, zlib 1.2.5, GNU TLS 2.12.14. with SSL, ZLIB, IPV6, TS_SSL, I18N > HTTP session to ${URL}:80 begins. > sess: libproxy #0=direct:// > [DEBUG 00:00:00] starting PROPFIND, credentials unverified, deadline in > 300.0s > ah_create, for WWW-Authenticate > Running pre_send hooks > Sending request headers: > PROPFIND /muelli/cards/ HTTP/1.1 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Host: ${URL} > Depth: 1 > Content-Length: 141 > Content-Type: application/xml > > Sending request-line and headers: > Doing DNS lookup on ${URL}... > req: Connecting to ip.ip.ip.ip:80 > Sending request body: > Body block (141 bytes): > [<?xml version="1.0" encoding="utf-8"?> > <propfind xmlns="DAV:"><prop> > <getetag xmlns="DAV:"/> > <resourcetype xmlns="DAV:"/> > </prop></propfind> > ] > Request sent; retry is 0. > [status-line] < HTTP/1.1 401 Authorization Required > [hdr] Date: Sat, 17 Nov 2012 04:01:49 GMT > Header Name: [date], Value: [Sat, 17 Nov 2012 04:01:49 GMT] > [hdr] Server: Apache > Header Name: [server], Value: [Apache] > [hdr] WWW-Authenticate: Digest realm="calendar", > nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, > domain="calendar", qop="auth" > Header Name: [www-authenticate], Value: [Digest realm="calendar", > nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, > domain="calendar", qop="auth"] > [hdr] Content-Length: 480 > Header Name: [content-length], Value: [480] > [hdr] Keep-Alive: timeout=15, max=100 > Header Name: [keep-alive], Value: [timeout=15, max=100] > [hdr] Connection: Keep-Alive > Header Name: [connection], Value: [Keep-Alive] > [hdr] Content-Type: text/html; charset=iso-8859-1 > Header Name: [content-type], Value: [text/html; charset=iso-8859-1] > [hdr] > End of headers. > Running post_headers hooks > Reading 480 bytes of response body. > Got 480 bytes. > Read block (480 bytes): > [<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>401 Authorization Required</title> > </head><body> > <h1>Authorization Required</h1> > <p>This server could not verify that you > are authorized to access the document > requested. Either you supplied the wrong > credentials (e.g., bad password), or your > browser doesn't understand how to supply > the credentials required.</p> > <hr> > <address>Apache Server at ${URL} Port 80</address> > </body></html> > ] > Running post_send hooks > ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest > realm="calendar", > nonce="1gOP8ajOBAA=1381417d1268db9f4ed8963b0e66cc58bf3f845e", algorithm=MD5, > domain="calendar", qop="auth" > auth: Got challenge (code 401). > auth: Got 'Digest' challenge. > auth: Trying Digest challenge... > auth: Using domain /calendar from calendar > [DEBUG 00:00:00] retry request with credentials > auth: Got qop, using 2617-style. > auth: H(A1) is [a372f9146dc16960158864aa6b0d93df] > auth: Accepting digest challenge. > auth: Accepted Digest challenge. > Running pre_send hooks > auth: Sending 'Digest' response. > auth: '/muelli/cards/' is inside auth domain: 0. > Sending request headers: > PROPFIND /muelli/cards/ HTTP/1.1 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Host: ${URL} > Depth: 1 > Content-Length: 141 > Content-Type: application/xml Still no Authorization with method Digest. I wonder whether libneon using gnutls supports that. Can you compile again with libneon for openssl? For example, Debian lets you choose, install libneon27-gnutls-dev for gnutls and libneon27-dev for openssl. > Interestingly, it loads stuff from the build directory: [DEVELOPER 00:00:00] > Scanning backend libraries in > /home/muelli/git/syncevolution/src/backends//xmlrpc/.libs > although I installed it. Weird. > $ type -a syncevolution > syncevolution is /tmp/syncevolution/bin/syncevolution > syncevolution is /home/muelli/git/syncevolution/src/syncevolution > syncevolution is /usr/bin/syncevolution > syncevolution is /bin/syncevolution Hmm, the search for backends might be different from the loading of other files. I agree, it should better be consistent.
Okay. I found the problem. It's me. All is my fault. The "domain" key in the response header is wrongly used by me. neon is very correct about its semantics. The log said: "auth: Using domain /calendar from calendar". neon doesn't like that (cf http://svn.webdav.org/repos/projects/neon/trunk/src/ne_auth.c): /* Do not submit credentials if an auth domain is defined and this * request-uri fails outside it. */ if (sess->ndomains && !inside_domain(sess, req->uri)) { return NULL; } where sess->domains was filled with the values of the "domain" key in the response header. Neon didn't say that it was stopping the authentication because of that domain though... Interestingly, wget, curl, firefox, probably every HTTP client I tried, weren't as strict as neon. I think neon is right though after having read http://www.ietf.org/rfc/rfc2617.txt more closely especially on those weird values that nobody uses anyway ;-) The other clients are also right, because the RFC reads, they "can" respect that value. I don't know how I managed to configure Apache to send that key. Again: My bad. Next beer is on me.
(In reply to comment #11) > Okay. I found the problem. It's me. All is my fault. > The "domain" key in the response header is wrongly used by me. neon is very > correct about its semantics. [...] > I don't know how I managed to configure Apache to send that key. Again: My > bad. Next beer is on me. Good that you found the explanation. I'll happily accept that beer, should we ever meet ;-) I've filed a separate feature request (bug?) for the "Basic Auth over http": bug #57248. Is that something that you would expect in a 1.3.x maintenance release?
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.