Error while connecting to WEBDAV server

Help
Hbroll
2014-07-11
2015-05-02
  • Hbroll

    Hbroll - 2014-07-11

    Hi everyone,

    whenever I'm trying to open my password store via WEBDAV (https://server:443/data/file.kdbx) I get the following error (KeePass v2.27):

    "The underlying connection was closed: An unexpected error occurred on a send.
    Received an unexpected EOD or 0 bytes from the transport stream."

    Since it has been working in the past I'm not sure what's causing this error. I'm using a Synology NAS (DSM 5.0-4493 Update 2).

    Is there any way I can get additional details / logging from the program?

    Many thanks!
    Nick

     
  • Paul

    Paul - 2014-07-12

    This may not be valid but the URL you posted isn't correct. It should read https://server/data/file.kdbx. Assuming this isn't the problem are you able to read the file via Windows Explorer or Internet Explorer? It's also worth trying non-https, http://server/data/file.kdbx

    cheers, Paul

     
  • Hbroll

    Hbroll - 2014-07-17

    Hi Paul,

    thanks for your feedback. Actually the URL should be fine. I'm using it also in order to synchronize my password store with the Keepass2Android application - which works just fine.

    It definitely is a HTTPS connection so HTTP is not working. Also removing the port-number does not change anything.

    Cheers,
    Nick

     
    Last edit: Hbroll 2014-07-17
  • Paul

    Paul - 2014-07-18

    Can you open the URL from Windows Explorer on the PC where KeePass fails?

    cheers, Paul

     
  • Hbroll

    Hbroll - 2014-07-20

    Hi Paul,

    When I paste the URL into the Explorer it opens Firefox. After entering username/password I can download the file. The new beta of WinSCP (5.6) is also working fine with WebDAV.

    I was thinking that maybe KeePass is having problems with the Proxy server that is used (it's a corporate network; configured via PAC-file). The configuration is set to "Use system proxy settings". Manually configuring the respective Proxy-settings in KeePass does also fail.

    Best regards,
    Nick

     
  • Paul

    Paul - 2014-07-20

    Without server / firewall logs it's hard to determine, but corporate firewalls are notoriously tricky to configure with non-standard apps.

    cheers, Paul

     
  • qm2105

    qm2105 - 2015-04-15

    Got the same problem here.. Tried to debug, but it doesn't show anything useful. Did a little research on the problem and it seems to be related to SSLv3 and weak encryption support. After some DSM update it's support was disabled by Synology. I can succsessfully mount this webdav-drive in windows, or access it with any browser, but keepass just returns this error (described by topic starter).
    Here is a bit of log from http server on NAS:

    [15/Apr/2015:10:06:48] 10.10.243.254 - - "-" -
    [15/Apr/2015:10:06:59] 10.10.243.254 - - "-" -
    [15/Apr/2015:10:07:57] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee/desktop.ini HTTP/1.1" 218
    [15/Apr/2015:10:07:57] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee HTTP/1.1" 1568
    [15/Apr/2015:10:07:57] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee/folder.jpg HTTP/1.1" 217
    [15/Apr/2015:10:07:58] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee/folder.gif HTTP/1.1" 217
    [15/Apr/2015:10:07:58] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee HTTP/1.1" 1568
    [15/Apr/2015:10:07:58] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee/Thumbs.db HTTP/1.1" 216
    [15/Apr/2015:10:07:59] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "UNLOCK /misc/Thumbs.db HTTP/1.1" -
    [15/Apr/2015:10:08:28] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND / HTTP/1.1" 7595
    [15/Apr/2015:10:08:28] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "GET /home/kee/kee.kdbx HTTP/1.1" -

    The first two lines appeared after i tried to connect with Keepass URL
    Then TLSv1 lines are the result of copying the same file using mounted net drive in windows explorer of the same PC.

    Which protocol and cipher does keepass use to access webdav shares?

     
  • qm2105

    qm2105 - 2015-04-15

    There are lots of information when you google "Received an unexpected EOF or 0 bytes from the transport stream" regarding SSL and .NET

     
  • Paul

    Paul - 2015-04-15

    Have you tried V2.29? It has improved proxy behaviour.

    KeePass uses NET for HTTP access so it may be a NET problem rather than KeePass.
    More detail / logs are always useful in testing.

    cheers, Paul

     
  • qm2105

    qm2105 - 2015-04-16

    Yes, I'm using v.2.29. It's not related to proxy. My PC and Synology box are in one subnet and i'm using direct connection for testing. I have enabled all possible logs in httpd configs, but the only stuff I get is some empty lines in ssl logs (posted in comment above) and it looks like the server and the client (keepass) can't negotiate their encryption capabilities.
    Server is Apache 2.2.29. Here is the part of httpd webdav configuration related to SSL:

    <IfDefine SSL>
        LoadModule ssl_module modules/mod_ssl.so
        Include conf/extra/httpd-ssl.conf-webdav
    </IfDefine>
    

    DS> cat httpd-ssl.conf-webdav

    #Listen 5006
    
    Include conf/extra/httpd-ssl.conf-common
    
    <VirtualHost *:5006>
        SSLEngine on
    
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
    
        BrowserMatch ".*MSIE [2-5]\..*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        CustomLog /var/log/httpd/webdav-debug-ssl "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>
    

    DS> cat httpd-ssl.conf-common

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    
    SSLPassPhraseDialog  builtin
    
    SSLSessionCache         "shmcb:/run/httpd/ssl_scache(512000)"
    SSLSessionCacheTimeout  300
    
    SSLMutex "file:/run/httpd/ssl_mutex"
    
    Include conf/extra/httpd-ssl.conf-cipher
    

    DS> cat httpd-ssl.conf-cipher

    AddType application/x-x509-ca-cert  .crt
    AddType application/x-pkcs7-crl     .crl
    
    SSLCipherSuite HIGH:!EXPORT:!eNULL:!aNULL:!DES:!RC4:!RC2:!MD5:!IDEA:!SEED:!CAMELLIA:!AESGCM:+AES128:+AES256:+3DES:+kEECDH:+kRSA:!EDH:!aECDH:!aECDSA:!kECDHe:!SRP:!PSK
    SSLHonorCipherOrder on
    SSLProtocol all -SSLv2 -SSLv3
    
    SSLCertificateFile      "/usr/syno/etc/ssl/ssl.crt/server.crt"
    SSLCertificateKeyFile   "/usr/syno/etc/ssl/ssl.key/server.key"
    
    #SSLCertificateChainFile "/usr/syno/etc/ssl/ssl.intercrt/server-ca.crt"
    
    #SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
    #SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
    
    #SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
    #SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
    

    I tried to enable all protocols and ciphers in config above, but it didn't help. Maybe I did it wrong or missed something.

    This log returns empty protocol an cipher fields for keepass connection:

        CustomLog /var/log/httpd/webdav-debug-ssl "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    

    As I said, other webdav clients work without any issues and return something like this:
    [15/Apr/2015:10:07:58] 10.10.243.254 TLSv1 ECDHE-RSA-AES128-SHA "PROPFIND /home/kee/folder.gif HTTP/1.1" 217

    By the way, does keepass decides which protocol to use or is it some default .NET setting, depending on installed version? Got .NET 3.5.1 on my PC.

     
  • qm2105

    qm2105 - 2015-04-16

    So, finally got it working on Windows 10 PC with .NET Framework 4.6. I'll try to install it on my other machine..

     
  • Anonymous

    Anonymous - 2015-04-20

    If i use a Cipher Suite with PFS on my lighttpd Server, i get also Errormessages in KeePass 2.29. If i use less strong Cipher Suite, i could connect. Could you solve the Problem with Installation of a newer .NET Framework or do you have changed something in your Cipher Suite?

    BTW: Which Cipher Suite are supported in KeePass?

     
  • Paul

    Paul - 2015-05-02

    KeePass doesn't support cipher suites, it just uses the .NET transport services. It does check SSL certificates and has an option to accept invalid certificates.

    cheers, Paul

     
  • Anonymous

    Anonymous - 2015-05-02

    Many Thx, Paul. Do you know which Cipher Suites are supported by .NET?

     
  • Paul

    Paul - 2015-05-02

    Nope.

    cheers, Paul

     

Log in to post a comment.