Announcement

Collapse
No announcement yet.

WEBDAV no longer working on a site where it used to. Possible SSL issue in BC?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WEBDAV no longer working on a site where it used to. Possible SSL issue in BC?

    I perform sync to a server at the URL https://dms.wi-sun.org/htcomnet/hcwebdav
    This has been working fine until one of the updates to BC in the last month or so.
    WEBDAV access to this server still works using the Windows 7 "Map Network Drive / Connect to a web site" mechanism so I believe the issue is with BC and not the server.

    When attempting to connect, BC4 immediately displays the "Folder not available" error.
    The log shows "1/14/2015 7:26:17 AM Unable to load https://dms.wi-sun.org/htcomnet/hcwebdav/: Connection lost (error code is 100353)"

    A wireshark trace of the connection attempt shows the remote server immediately closes the connection after BC4 sends the SSL Client Hello.

    BC4-captuer-ssl.png



    Here is a wireshark capture of Windows (successfully) accessing the WEBDAV server from the mapped drive:
    MSFT-webdav-Capture.PNG

  • #2
    Here is a detailed view of the Client Hello from BC4 that fails
    BC SSL Client Hello Fails Capture.PNG

    Here is a detailed view of the Client Hello from Windows that works:
    Windows SSL Client Hello Success Capture.PNG

    The main differences are BC is sending SSL 3.0, and then TLS 1.2.
    Windows is sending TLS 1.0 and then TLS 1.0. It appears the server then changes the cipher spec in the Server Hello.

    Update: The server administrator says that SSL 3.0 is vulnerable to Poodle. Can BC4 be configured to connect WEBDAV with TLS?
    Last edited by timg11; 14-Jan-2015, 12:43 PM.

    Comment


    • #3
      Hello,

      Thanks for the additional details. I'll add these notes to our tracker entry on the subject and we'll look into this.
      Aaron P Scooter Software

      Comment


      • #4
        Aaron, So there is no workaround currently? If it is true that BC only supports secure WEBDAV using a protocol that has been deprecated due to a security vulnerability, that means developing and releasing a fix will be a very high priority, right?

        Comment


        • #5
          It is. We're currently working on majorly upgrading this support, but it's been a large project and we had been hoping to contain it to a larger (4.1) release due to the potential changes in behavior. It looks like we might not be able to wait that long however, so we're evaluating what it would take to get this into a more immediate bug fix release (4.0.x).
          Aaron P Scooter Software

          Comment


          • #6
            It would be really great to have this fixed soon.

            Comment


            • #7
              I just installed 4.0.5, build 19480, released Jan. 27, 2015 .

              I'm still getting the same error message as above. Was this build supposed to fix this issue with WEBDAV and SSL3? I haven't tried the wireshark capture, but I think you (Scooter) can also do it from your side. You don't need a valid login on the site since the server closes the connection before it gets to authentication.

              Comment


              • #8
                Thanks, and yes, that's what one of our developers is working on. The example link from your email will remain active and we can test against it for a bit, correct?
                Aaron P Scooter Software

                Comment


                • #9
                  Any progress on fixing this in 4.0.6?

                  Comment


                  • #10
                    Yes, we have a fix in 4.0.6 that should get this working.
                    Aaron P Scooter Software

                    Comment


                    • #11
                      Any projected date for beta testing 4.0.6?

                      Comment


                      • #12
                        Hello,

                        We do not have a set date, but we are currently in testing.
                        Aaron P Scooter Software

                        Comment


                        • #13
                          timg11,

                          We released Beyond Compare 4.0.6 today with a fix for the WebDAV SSL issue, please let us know if the new version doesn't resolve your problem.
                          Chris K Scooter Software

                          Comment


                          • #14
                            Yes, 4.06 fixes the WEBDAV SSL issue, thanks!

                            Comment

                            Working...
                            X