since some days, I’m seeing that I cannot connect Duplicati using webdav because I get an error about the connection SSL/TLS.
I’m experiencing it on servers with Windows Server 2012 installed (and I’ve seen the same on a computer with Windows 8), while a computer with Windows 10, is working fine.
Is it something related to the old versions of the OS?
Thanks in advance.
I don’t get any error about the certificate, I’ve got a certificate issued by a certificare authority.
I just get this error on the browser
Not Found
The requested URL / was not found on this server.
I was trying to connect via WebDAV to a Synology NAS.
I’ve seen that on the NAS the WebDAV Server app has been updated few days ago, it can be the problem, maybe they have increased something about SSL/TLS connections.
Is your Synology running DSM 7.x? If so can you check Control Panel → Security → Advanced → TLS/SSL Profile level? What is it set to?
On DSM 6.x I used to have it set to the most strict, but I noticed on DSM 7.x that causes WebDAV to fail with Duplicati. I didn’t really dig too deep, but my guess is because it forced TLS 1.3 and mono has issues with it.
So for DSM 7.x you might need to set that to “Intermediate Compatibility”
I’m not 100% convinced about upgrading to version 7.x, so I’m still on the latest 6.x version.
I’ve set MODERN COMPATIBILITY and it’s working with WebDAV Server 2.2, but I had to get back to that version for making it works.
If I will upgrade it to 2.4.2, it will stop working.
Have you got any other suggestion?
Thanks so much!
Hey @drwtsn32!
I’ve tried with a DSM 7 and latest version of WebDAV server; it’s not working even with intermediate compatibility.
I made it work with “obsolete version compatibility” on my DSM 7 and with “accept-any-ssl-certificate” option on Duplicati.
FWIW after web searching didn’t help, I found Synology documents them for DSM 7 but not 6.2.
It looks like you have to ask for “Modern” before TLS 1.3 is required (don’t ask for that on mono).
If that meant “Old backward compatibility” then it drops TLS 1.2 need, and maybe that’s enough.
Getting TLS 1.2 was a problem for Windows 7 and older versions of mono. Recent ones are fine.
Occasionally allowed-ssl-versions used to be used, but that’s subject to what OS/mono supports.
Sorry, I didn’t get a chance and then I forgot about it! Can you confirm which Windows 2012 you are using: original release or R2? What service pack level?
I got it to work by going to the Control Panel on the NAS, Security section, Advanced, and setting custom setting for WebDAV to “Old backward compatibility”:
Then Duplicati connection test worked. (I did check the option to accept any SSL cert, but you should be able to set it to accept a specific SSL hash, or not set this at all if you’re using a public CA.)
If your NAS only exposes WebDAV to your trusted internal network then I personally don’t think it’s a big deal but you may have a different security tolerance.
I would not expose WebDAV to the internet with this setting. TLS 1.0 and 1.1 are considered security risks.
I’m not really sure why Duplicati isn’t using TLS 1.2 in this situation. I will try digging deeper into that. If we can solve it then you can put the DSM security back to intermediate security.
Thanks for all your help!
I had tried the same, I didn’t managed to make it.
I know that Windows Server 2012 is old, but I still have clients with that.
Same problem with Windows 7
One option may be to not use TLS at all. You could use a protocol like SFTP. Would require reconfiguring the NAS a bit, not sure if it’s worth it to you.
But yeah it is a mystery why Server 2012 can’t talk to Synology properly using TLS 1.2. Maybe they can’t agree on a cipher.