Closed Bug 1244594 Opened 8 years ago Closed 8 years ago

No favicons in Firefox for Android after encrypting with Lets Encrypt

Categories

(Firefox for Android Graveyard :: Favicon Handling, defect)

Product:
Firefox for Android Graveyard
Component:
Favicon Handling
Version:
44 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 765064

People

(Reporter: markus.popp, Unassigned)

Details

I switched some sites to https using Lets Encrypt and ever since, I get no Favicons in Firefox for Android (44+) on Nexus 5, Android 6.0.1.

There are no problems with Firefox on Linux64 and no errors are displayed in the Web Console. Also other browsers (both desktop & mobile) display the favicon (which is a 128x128 PNG file) just fine:

<link rel="shortcut icon" href="//var.mpopp.net/favicons/mp.png">

I also tried smaller sizes and other formats, but none of them worked with Firefox for Android (however did work with desktop versions of Firefox).

Accessing the pages using http:// the Favicons display correctly.
SSLException: hostname in certificate didn't match: <var.mpopp.net> != <kbase.mpopp.net> OR <kbase.mpopp.net>

> E  javax.net.ssl.SSLException: hostname in certificate didn't match: <var.mpopp.net> != <kbase.mpopp.net> OR <kbase.mpopp.net>
> E      at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:236)
> E      at ch.boye.httpclientandroidlib.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
> E      at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:157)
> E      at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:138)
> E      at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561)
> E      at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536)
> E      at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
> E      at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:174)
> E      at ch.boye.httpclientandroidlib.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
> E      at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> E      at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> E      at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:860)
> E      at ch.boye.httpclientandroidlib.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> E      at ch.boye.httpclientandroidlib.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
> E      at org.mozilla.gecko.favicons.LoadFaviconTask.tryDownloadRecurse(LoadFaviconTask.java:132)
> E      at org.mozilla.gecko.favicons.LoadFaviconTask.downloadAndDecodeImage(LoadFaviconTask.java:249)
> E      at org.mozilla.gecko.favicons.LoadFaviconTask.downloadFavicon(LoadFaviconTask.java:226)
> E      at org.mozilla.gecko.favicons.LoadFaviconTask.doInBackground(LoadFaviconTask.java:439)
> E      at org.mozilla.gecko.favicons.LoadFaviconTask$1.run(LoadFaviconTask.java:308)
> E      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
> E      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
> E      at java.lang.Thread.run(Thread.java:818)
If your host is using SNI, you won't get favicons: Bug 765064.
(In reply to Sebastian Kaspari (:sebastian) from comment #1)
> SSLException: hostname in certificate didn't match: <var.mpopp.net> !=
> <kbase.mpopp.net> OR <kbase.mpopp.net>

Where does this come from?

kbase.mpopp.net and var.mpopp.net are independent from each other, so there should not be any mismatch. One shouldn't even know that the other exists.

They live on the same physical server though.
(In reply to Markus Popp from comment #3)

> They live on the same physical server though.

https://en.wikipedia.org/wiki/Server_Name_Indication

When we connect to var.mpopp.net, we effectively do a TLS handshake to kbase.mpopp.net, because we actually talk to 148.251.92.101. But obviously kbase.mpopp.net's certificate is not valid for var.mpopp.net, so we abort the connection.

SNI means we say "I'm connecting to var.mpopp.net" as part of the handshake, so your server gives us the right cert.

We don't support SNI for favicon fetches.
(In reply to Richard Newman [:rnewman] from comment #4)

> SNI means we say "I'm connecting to var.mpopp.net" as part of the handshake,
> so your server gives us the right cert.
> We don't support SNI for favicon fetches.

So if I understand you correctly, there is no mistake in the configuration on my side, is there?

Is there something that I can do to get the Favicons nevertheless? Is this going to be fixed in a soon upcoming version of Firefox for Android?
(In reply to Markus Popp from comment #5)

> So if I understand you correctly, there is no mistake in the configuration
> on my side, is there?

It looks fine to me.


> Is there something that I can do to get the Favicons nevertheless?

You have three main options:

* Host them over plain HTTP. (That might get you a mixed content warning.)
* Give each hostname its own IP address.
* Consolidate your services into a single domain.


> Is this going to be fixed in a soon upcoming version of Firefox for Android?

Not soon, but some day, yes. I'll dupe this bug to that.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.