https://bugs.freedesktop.org/show_bug.cgi?id=56240
--- Comment #4 from Patrick Ohly <[email protected]> --- (In reply to comment #3) > I just made Apache enforce digest auth, i.e. > http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html > > Sending Basic Auth proactively is not very nice, because you blow the > password in plain text into the Internet. And in fact I tried setting up > Digest Auth primarily to prevent my credentials being posted as plaintext. The rationale was that no-one would ever use WebDAV over an unencrypted channel, because otherwise the equally sensitive private data would be visible to eavedroppers. Do you use https? Sending the credentials in advance could (should?!) be limited to https. > >- The server sends a permanent error, instead of > > asking for some other way of authentication. > hm. The logs indicate the server returning a 401 Authorization needed along > with a WWW-Authenticate header, as opposed to a 403. > > So if I read the logs correctly and got the semantics of HTTP right, then I > think your hypothesis is wrong. You are right. > Running post_send hooks > ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Digest > realm="calendar", > nonce="R6kEupfMBAA=e21fd306a0efcdd6e95638d5430255be819eaa95", algorithm=MD5, > domain="calendar", qop="auth" > auth: Got challenge (code 401). > auth: Got 'Digest' challenge. > auth: Trying Digest challenge... > auth: Using domain /calendar from calendar > auth: Got qop, using 2617-style. > auth: H(A1) is [106348b5f532106259673842cc2920e5] > auth: Accepting digest challenge. > auth: Accepted Digest challenge. > Running pre_send hooks > [DEBUG @radicale-cb 00:00:01] retry request with credentials > auth: '/muelli/test/' is inside auth domain: 0. > Sending request headers: > PROPFIND /muelli/test/ HTTP/1.1 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Host: ${URL} > Depth: 0 > Content-Length: 137 > Content-Type: application/xml Hmm, somehow libneon doesn't include credentials in the request header here, despite recognizing the challenge (the "auth" output is from libneon). I'm out of ideas. Can you recompile from source with the Basic authentication disabled? In Neon.cpp, comment out the content of Session::forceAuthorization(). In the meantime I'll try to reproduce this with my own setup of Apache+DAViCal. > Funnily enough, I can't grep for my password in ~/.config/syncevolution. > Although I set things up like: > syncevolution --configure --template webdav username=user2 password=pw2 > syncURL=http://foo/muelli/test/ target-radicale@cb It was stored in a more secure keyring. See the "keyring" property for an explanation. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.
_______________________________________________ Syncevolution-issues mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution-issues
