====== Cal/Card DAV and IOS ======

Problems arose when we were trying to connect an iPhone (IOS v15.x) to a [[https://nextcloud.com/|NextCloud]] CalDAV server. The same device worked well on a second server, but would fail with the message 
<code>"Cannot connect using SSL"</code>
on the problematic one. Android devices using [[https://www.davx5.com/|DAVx5]] and Microsoft Outlook using [[https://nextcloud.com/blog/nextcloud-offers-caldav-synchronizer-for-outlook-users/|CalDAV Synchronizer]] had no problem.

The solution (see https://help.nextcloud.com/t/caldav-and-carddav-ios-issues/73801) is to manually enter the https port number (443) in the URL
<code>
https://example.com:443/remote.php/dav/principals/users/yourusername
</code>
Replacing **example.com** with the URL of your server, and **yourusername** with your NextCloud username.

===== Discussion =====

It appears IOS, by default, attempts port 8443 (alternate https port) first. If your server is firewalled and does a DROP (vs REJECT), IOS abandons the attempt and does not retry port 443. If, however, your firewall passes through, or does a REJECT (untested), IOS retries on port 443 and the setup is successful.

===== Testing =====

Test the server with nmap. The first sample shows the port is filtered, and can be corrected.
<code bash>
nmap -p 8443 example.com
PORT     STATE    SERVICE
8443/tcp filtered https-alt 
</code>

This sample shows the port is closed, in which case IOS will correctly retry port 443 and succeed. If you have the problem and the port is showing closed, this is unlikely to help.
<code bash>
nmap -p 8443 example.com
PORT     STATE  SERVICE
8443/tcp closed https-alt
</code>
===== Solutions =====

==== Set firewall to REJECT vs DROP ====

This solution requires no changes to your users, but requires a little work on your part. Somehow, you need to have port 8443 closed, which can be done by explicitly telling your firewall to REJECT, or by passing the port through to the server and letting it respond the port has nothing on it. NOTE: We have not tested the REJECT.

==== Explicitly set port 443 on the URL ====

This is more difficult on the non-technical user, but does not require modifying your firewall. By explicitly adding :443 to your URL, IOS will not try port 8443 at all, and the configuration will succeed.
<code>
https://example.com:443/remote.php/dav/principals/users/yourusername
</code>

===== Links and Acknowledgements =====

  * https://help.nextcloud.com/t/caldav-and-carddav-ios-issues/73801
  * Thanks to Randell who helped find the solution
  * Thanks to Dave who helped describe what was going on afterwards