Table of Contents

Cal/Card DAV and IOS

Problems arose when we were trying to connect an iPhone (IOS v15.x) to a NextCloud CalDAV server. The same device worked well on a second server, but would fail with the message

"Cannot connect using SSL"

on the problematic one. Android devices using DAVx5 and Microsoft Outlook using CalDAV Synchronizer had no problem.

The solution (see https://help.nextcloud.com/t/caldav-and-carddav-ios-issues/73801) is to manually enter the https port number (443) in the URL

https://example.com:443/remote.php/dav/principals/users/yourusername

Replacing example.com with the URL of your server, and yourusername with your NextCloud username.

Discussion

It appears IOS, by default, attempts port 8443 (alternate https port) first. If your server is firewalled and does a DROP (vs REJECT), IOS abandons the attempt and does not retry port 443. If, however, your firewall passes through, or does a REJECT (untested), IOS retries on port 443 and the setup is successful.

Testing

Test the server with nmap. The first sample shows the port is filtered, and can be corrected.

nmap -p 8443 example.com
PORT     STATE    SERVICE
8443/tcp filtered https-alt 

This sample shows the port is closed, in which case IOS will correctly retry port 443 and succeed. If you have the problem and the port is showing closed, this is unlikely to help.

nmap -p 8443 example.com
PORT     STATE  SERVICE
8443/tcp closed https-alt

Solutions

Set firewall to REJECT vs DROP

This solution requires no changes to your users, but requires a little work on your part. Somehow, you need to have port 8443 closed, which can be done by explicitly telling your firewall to REJECT, or by passing the port through to the server and letting it respond the port has nothing on it. NOTE: We have not tested the REJECT.

Explicitly set port 443 on the URL

This is more difficult on the non-technical user, but does not require modifying your firewall. By explicitly adding :443 to your URL, IOS will not try port 8443 at all, and the configuration will succeed.

https://example.com:443/remote.php/dav/principals/users/yourusername