921666 - Add SSL certificates for idp.dev.lcip.org for Android devices

Status: VERIFIED DUPLICATE of bug 889749

(Cloud Services :: Operations: Miscellaneous, task)

Description

[Nick Alexander :nalexander [he/him]]

Like Bug 884008.

Comment 1

[Richard Newman [:rnewman]]

N.B., all endpoints that'll be touched by Android devices -- this, the corresponding stage environment, eventual production deployment, and other identity-related services -- will all need cross-root certs and such, and cannot use SNI. Them's the breaks.

Comment 2

[Nick Alexander :nalexander [he/him]]

Backtrace, trying to POST to https://idp.dev.lcip.org/certificate/sign:

E GeckoLogger(10363)          fennec_ncalexan :: FxAccountSyncAdapter :: Failed to sign.
E GeckoLogger(10363)          javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
E GeckoLogger(10363)          	at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:752)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:229)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.retryRequest(BaseResource.java:268)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:239)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:296)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.post(BaseResource.java:326)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.post(BaseResource.java:449)
E GeckoLogger(10363)          	at org.mozilla.gecko.background.fxa.FxAccountClient.post(FxAccountClient.java:226)
E GeckoLogger(10363)          	at org.mozilla.gecko.background.fxa.FxAccountClient.sign(FxAccountClient.java:545)
E GeckoLogger(10363)          	at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.onPerformSync(FxAccountSyncAdapter.java:78)
E GeckoLogger(10363)          	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:247)

Comment 3

[James Bonacci [:jbonacci]]

Historical reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=884008

Comment 4

[Nick Alexander :nalexander [he/him]]

After much investigation, this is a ciphersuite mismatch.  Sorry for the fire-drill, ops.  Closing in favour of Bug 889749.

Comment 6

[Ryan Kelly [:rfkelly]]

For my possible future reference, this seems to be the minimal change to nginx default config that enables the old ciphersuite:

  ssl_ciphers  HIGH:!aNULL:!MD5:RC4-SHA;