Closed Bug 1557203 Opened 5 months ago Closed 5 months ago

After AndroidQ Beta4 update Firefox uses old SSL ciphers

Categories

(Firefox for Android :: Android Sync, defect, P1)

ARM64
Android
defect

Tracking

()

VERIFIED FIXED
Firefox 69
Tracking Status
firefox67 --- wontfix
firefox68 + verified
firefox69 --- verified

People

(Reporter: dholbert, Assigned: petru)

References

(Blocks 1 open bug)

Details

(Whiteboard: [geckoview:fenix:m7] [bcs:p2])

Attachments

(2 files)

+++ This bug was initially created as a clone of Bug #1537701 +++

I just updated my phone from Android Q Beta3 to Beta4 (released today[1][2]), and bug 1548332 (i.e. bug 1537701) immediately came back.

It manifested as my previously-connected Sync starting to silently fail at syncing. I tried disconnecting and reconnecting Sync, and I immediately saw the same (misleading) error message as described in bug 1548332 ("Your account needs to be verified. Tap to resend verification email")

I'm using latest Nightly (version 68.0a1 2019-06-05).

Bottom line, I suspect Android Q beta4 must have changed the ciphersuites or APIs here in a way that re-broke this. Petru, I'm assuming you're the right person to look at this since you worked on bug 1541083, so I'm presumptuously putting you in as the assignee, though feel free to unassign if I'm mistaken. But if you could, would you mind taking a look at Sync on a device with Q beta4? ("Security Patch Level: June 5 2019")

[1] https://android-developers.googleblog.com/2019/06/android-q-beta-4-and-final-apis.html
[2] https://developer.android.com/preview/features

Summary: Update default SSL ciphers and protocols for Android Q → Update default SSL ciphers and protocols for Android Q (again, due to changes in Q beta4, to re-fix Sync)

BTW, my hardware is a google Pixel 3, in case it matters.
[setting needinfo to be sure this is on Petru's radar]

Flags: needinfo?(petru.lingurar)

When I try to sync, I see this output in logcat (followed by more, but I'm assuming this is the most relevant/proximal):

java.lang.IllegalArgumentException: cipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is not supported.

I'll post a log with a slightly-larger snippet and a backtrace.

I'm seeing this in latest Firefox Beta (68.0b7), as well. I haven't tested release (67), but I assume it's affected, too.

(Note: yes, Beta and Nightly have the same version number right now -- 68 -- on Android. I wasn't aware that this was the case until I just checked now, and I'm assuming that has to do with the eventual Fenix migration.)

Thanks Daniel!

This regressed because with Beta4 we now have the final Q APIs, AndroidQ has it's own API level now - 29 (previously it shared 28 with Android P) so this code which basically checked if VERSION.CODENAME is Q now returns false, as the codename now is REL. Because of this failed check we will fallback to previous ciphers.

Flags: needinfo?(petru.lingurar)

With Beta4 AndroidQ now ships with final APIs so the previous check we used,
VERSION.CODENAME now returns REL instead of Q.
But final APIs means AndroidQ will not share API level 28 with AndroidP anymore
so we can finally check for Build.VERSION.SDK_INT.

Summary: Update default SSL ciphers and protocols for Android Q (again, due to changes in Q beta4, to re-fix Sync) → After AndroidQ Beta4 update Firefox uses old SSL ciphers
Status: NEW → ASSIGNED
Keywords: checkin-needed

Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/38dc20b6a273
AndroidQ has final APIs. Update the feature29Plus check; r=VladBaicu

Keywords: checkin-needed

Thanks for the quick action!

Requesting tracking for version 68 (which is what Fennec beta, and I believe also Nightly, are currently built from on Android).

Comment on attachment 9070166 [details]
Bug 1557203 - AndroidQ has final APIs. Update the feature29Plus check; r?VladBaicu

Beta/Release Uplift Approval Request

  • User impact if declined: Sync and possibly other app services which use Internet would not work on Android Q devices.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Try to use Sync. Confirm it works with no errors in logcat.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small update to make use of the latest Android Q APIs.
  • String changes made/needed:
Attachment #9070166 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9070166 [details]
Bug 1557203 - AndroidQ has final APIs. Update the feature29Plus check; r?VladBaicu

Needed for Android Q compat. Let's get this on Beta so Fennec Nightly and Beta builds can pick up this fix.

Attachment #9070166 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 69

Verified fixed in yesterday's nightly (and today's).

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]

Hello, I can confirm that the issue is not anymore reproducible on Nightly 68.0a1 (2019-06-24) and Beta 68.0b13 using Google Pixel (Android Q).
I can't verify the 69 Nightly version due to the bug 1558745, but I'll verify it after the fix of the mentioned issue, thanks.

Hi, verified as fixed on Firefox Beta 69.0b16 with Google Pixel (Android Q) beta 4 (QPP4) no error messages present in logcat and neither at UI level.

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.