Closed Bug 1612266 Opened 4 years ago Closed 4 years ago

Firefox sync on android (fennec) only pulls from the system CA store when validating https cert for the sync server

Categories

(Cloud Services Graveyard :: Server: Sync, defect)

Product:
Cloud Services Graveyard
Component:
Server: Sync
Version:
68 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 756763

People

(Reporter: motsu35, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Firefox for Android

Steps to reproduce:

  1. Set up a custom firefox sync server, you can use the normal firefox auth server

  2. on a local CA, issue a cert for your sync server.

  3. set up https on the custom sync server. im using nginx as a reverse proxy, but any ssl implementation should have the same effect. you just need to use the locally issued cert.

  4. Add the CA public cert to your phone

  5. use about:config to set the sync server, then sign into your firefox account.

  6. click sync now. <-- Should be working at this step.

  7. use python on your computer to issue the cert with the proper mime type so fennec will actually import it (this should also be its own bug... theres no friendly way to import a CA cert on fennec!) https://pastebin.com/b0k6pP1X

  8. go back and click sync now <-- Should be working at this step if you make the assumption that fennec uses its own certificate store similar to firefox desktop. this would be my preferred fix assuming there was an easier way to add the CA cert.

  9. root your phone, remount /system/ as RW, and copy the cert from your user CA store to the system CA store... reboot, remove root, and verify your CA shows up in the android system certificate store.

  10. click sync now again in fennec, it should now work... but you have to basically be running a custom rom at this point.

Actual results:

The sync mechanism on firefox android (fennec) does not look into the user CA store when validating https certificates used on custom sync servers.

The sync mechanism on firefox android (fennec) does not look into the internal fennec CA store when validating https certificates used on custom sync servers.

The only way to get internal CA + sync working on android is to root a phone and force the CA into the system cert store.

Expected results:

either the user or internal CA store should be checked when validating the HTTPS certificate used on a custom sync server.

Component: Untriaged → Server: Sync
Product: Firefox → Cloud Services

Thanks for the report! There is, sadly, quite a history of certificate-related issues when using a self-hosted sync server on Android. I'm going to close this as a duplicate of Bug 756763 which has a lot of historical context.

I'll also note that the new Android Firefox browser ("Fenix") should not have this problem, because it routes all backend service requests through the same networking stack as used by the browser itself. Fenix does not yet support self-hosted sync servers, but there's a tracking issue here.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.