Duplicati and Windows Server 2012

Support
21

I have confirmed with wireshark that it’s a TLS handshake issue. IE11 also has the same issue when you try to go to https://nas-ip:webdavs-port. Chrome doesn’t have a problem going to that URL.

IE11 can definitely do TLS 1.2, as can Duplicati. So it’s some interaction with Synology specifically.

I’ll dig deeper…

1 Like
22

I don’t have words for telling you how much I’m appreciating your help.
Thanks so much!

Let me know if you need sth

23

Ok, the issue seems to be with Synology WebDAV only. The regular TLS web interface works from IE11 on Server 2012.

I logged in to the NAS (ssh) and could see there is a separate http service for WebDAV. After some hunting I found its TLS configuration here:

/usr/syno/etc/security-profile/tls-profile/config/synowebdavserver_httpd.conf

In that file you can see the allowed ciphers:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305

When I used Wireshark I was able to capture a list of ciphers that Duplicati offers to the WebDAV server upon connection:

tls-a

The two highlighted ones are in common so I don’t know why the server disallows the negotiation…

24

Ok, the reason they cannot negotiate is because the certificate you are using on the NAS is probably a RSA cert not ECDSA certificate. The one I use is the self-signed Synology cert and it is RSA only.

So your option is either to use the weaker security mode for WebDAV, or possibly hand-modify the conf file mentioned above to add an RSA cipher. You could do that without enabling TLS 1.0 or 1.1. But I don’t know if you should modify it manually like that. Synology advises against making manual changes to any of its config files.

Or maybe you can generate an ECDSA cert for use with the WebDAV service specifically.

25

If you have 2012 R2 and not original 2012, and you are feeling brave, this person claims to have a workaround:

I tried it with the original 2012 (non-R2) but it did not work.

26

Unluckily I just have original 2012.
My certificate, a wildcard one, is RSA 2048.
Let me know if you will find out something.
Thanks!

27

Well I think the investigation is complete and you have a few options as I mentioned above.

  1. On the NAS set WebDAV security to “old backward compatibility”. In my opinion not a big deal if WebDAV isn’t exposed to the public internet.
  2. Get an ECDSA certificate and use it for the WebDAV service. You could test this for free by generating a self-signed certificate to see if it works.
  3. Manually edit config file on NAS (but Synology doesn’t recommend you do this).