Update USAGE.md

[krikk]

added note the webhook reverse proxy only does work with TLS 1.2, reverse proxy with TLS 1.3 only does not work

[abraunegg]

Unfortunately your modification | additions is not factually correct.

To correctly support TLS 1.2 and TLS 1.3, you need to ensure that both NGINX and OpenSSL versions are at or above the minimum versions that introduce full support for these protocols. This has nothing to do with this client, and / or the webhook implementation.

To support both TLS 1.2 and TLS 1.3, you need the following minimum combinations of NGINX 1.15.0 (or later) combined with OpenSSL 1.1.1 (or later).

If your distribution does not provide this, then this is an issue for you to raise with your distribution to resolve.

Additionally, this is also correctly called out in the RC3 documentation for webhooks: https://github.com/abraunegg/onedrive/blob/onedrive-v2.5.0-release-candidate-3/docs/webhooks.md

[krikk]

sorry, but you misread my comment i think, i had a running setup of NGINX with ONLY TLS 1.3, and the webhook did NOT work, the only change on my setup make it work was to enable TLS 1.2 also...

my logs with "ssl_protocols TLSv1.3;" in NGINX config:

Sep 01 20:42:11 beelink onedrive[2945361]: Initializing subscription for updates ...
Sep 01 20:42:12 beelink onedrive[2945361]: ERROR: Microsoft OneDrive API returned an error with the following message:
Sep 01 20:42:12 beelink onedrive[2945361]:   Error Message:    HTTP request returned status code 400 ()
Sep 01 20:42:12 beelink onedrive[2945361]:   Error Reason:     HttpRequestException:An error occurred while sending the request. WebException:The request was aborted: Could not create SSL/TLS secure channel.
Sep 01 20:42:12 beelink onedrive[2945361]:   Error Timestamp:  2024-09-01T18:42:12
Sep 01 20:42:12 beelink onedrive[2945361]:   API Request ID:   1eb05352-815f-4100-a8eb-b9e350e0ead3
Sep 01 20:42:12 beelink onedrive[2945361]: ERROR: Unable to initialize subscriptions for updates. Please fix this issue.
Sep 01 20:42:12 beelink systemd[1]: onedrive@krikkit.service: Main process exited, code=exited, status=255/EXCEPTION

my logs with "ssl_protocols TLSv1.2 TLSv1.3;"

Sep 01 20:43:21 beelink onedrive[2946103]: Initializing monitor ...
Sep 01 20:43:21 beelink onedrive[2946103]: OneDrive monitor interval (seconds): 300
Sep 01 20:43:21 beelink onedrive[2946103]: Initializing subscription for updates ...
Sep 01 20:43:22 beelink onedrive[2946103]: Webhook: handled validation request
Sep 01 20:43:23 beelink onedrive[2946103]: Starting a sync with OneDrive

...so for the conclusion is, the webhook only works if the webserver provides TLS 1.2 AND 1.3... it seems not to work for me if the webserver only provides TLS 1.3

[abraunegg]

Unfortunatly I also run with TLS 1.3 only as part of my testing webhooks and there is zero issue.

TLS support comes from OpenSSL - there is no mistake with that.

So some basic questions:

• what version of nginx are you using?
• what version of openssl are you using?
• what distro and version are you using?

[krikk]

strange, that it is working for you with TLS 1.3 only, but not in my setup...

my setup:

nginx version: nginx/1.22.1
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
Debian GNU/Linux 12 (bookworm) with backported Kernel 6.9.7

my nginx config:

server {
	listen                          58381 ssl http2 default_server;
	listen				[::]:58381 ssl http2 default_server;
	server_name                     subdomain.censored.com;

	ssl_protocols                   TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

	server_tokens off;

	ssl_certificate                 /etc/nginx/ssl/hxxx.fullchain;
	ssl_certificate_key             /etc/nginx/ssl/xxxx.key;
	add_header 			Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	ssl_prefer_server_ciphers       off;
	ssl_dhparam                     /etc/nginx/ssl/dhparam.pem;
	ssl_session_timeout             1d;
	ssl_session_cache               shared:SSL:10m;
	keepalive_timeout               70;

	#ocsp stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate 	/etc/nginx/ssl/xxx.fullchain;


	location /webhooks/onedrive {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Original-Request-URI $request_uri;
		proxy_read_timeout 300s;
		proxy_connect_timeout 75s;
		proxy_buffering off;
		proxy_http_version 1.1;
		proxy_pass http://127.0.0.1:58382;
	}
 }

[abraunegg]

@krikk
Suggest you update your logging to add what Microsoft is sending you:

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$ssl_protocol" "$ssl_cipher"';

Is Microsoft sending you a HTTPS request using TLS 1.3 ?

If not - then that is your issue ........

[krikk]

enabled logging like you suggested, gave me this:

52.147.213.181 - - [04/Sep/2024:21:07:04 +0200] "POST /webhooks/onedrive?validationToken=Validation%3a+Testing+client+application+reachability+for+subscription+Request-Id%3xxxxxxxxxxxxxx HTTP/1.1" 200 128 "-" "-" "-" "TLSv1.2" "ECDHE-ECDSA-AES256-GCM-SHA384"

so microsoft does not want to talk with TLS 1.3 with me :(

[abraunegg]

I guess you need to raise a support request with Microsoft, and for the time being enable both TLS 1.2 and 1.3 in nginx

[abraunegg]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.