Duplicati WebDAV with TLS 1.3?

Dear all,

my setup is planned like this:

  • Duplicati shall backup to a WebDAV Server with TLS 1.3 encryption
  • Version: 2.0.6.104_canary_2022-06-15
  • WebDAV SSL Server is Synology’s WebDAV Server package
  • Synolgys SSL Security setting is set to “Modern compatibilty”
    → Forced to TLS Version 1.3

When I try with this setup “test connect” I get:
Failed to connect: Error: SecureChannelFailure (Authentication failed, see inner exception.)

I it only working, when I reduce my Synology setting to “intermediate compatibilty”, which allows TLS1.2 and TLS1.3. But for other reasons, I don’t what to use this setting in Synology.

Does anybody have an idea to get it working with Synology’s “modern compatibilty”? Thank you!

Welcome to th forum @pipsen

Duplicati TLS support is provided by the mono that is installed that it runs under, but I don’t think that can provide TLS 1.3. It got its TLS 1.2 in 2017 in version 4.8.0 by use of Google’s BoringSSL OpenSSL fork.
Update BoringSSL fork #8004 is their open issue to update their code version, but it might never happen because Microsoft bought them and has been trying to move their capabilities (plus others’) into .NET 5.

You can try fiddling with these Duplicati flags, but I doubt you can get to TLS 1.3 if mono won’t support it:

  --allowed-ssl-versions (Flags): Sets allowed SSL versions
    This option changes the default SSL versions allowed. This is an advanced
    option and should only be used if you want to enhance security or work
    around an issue with a particular SSL protocol.
    * values: Ssl3, Tls, Tls11, Tls12, SystemDefault, Tls13
    * default value: SystemDefault

Rclone storage type in Duplicati can probably do WebDAV on TLS 1.3. I think Go’s library supports 1.3.
There may be performance and functionality losses from taking the path of using rclone to handle files.

So it’s kind of an issue about Synology bundling things together to your dislike? Might they take input? Possibly some Synology forum could suggest other ideas, maybe a different WebDAV server or proxy.

1 Like