Certificate error visiting https://lando.services.mozilla.com/D107388/ on firefox android
Categories
(Conduit :: Lando, defect, P2)
Tracking
(Not tracked)
People
(Reporter: tnikkel, Assigned: zeid)
References
Details
(Keywords: conduit-triaged)
Attempt to visit https://lando.services.mozilla.com/D107388/ with Firefox on android, I get the cert error page ("Secure connection failed. Someone could be trying to impersonate the site and you should not continue...it's certificate issuer is unknown, the cert is self signed or the server is not sending the correct intermediate certs.")
The same thing happens in release and nightly. Visiting the website on the same wifi network on a laptop works. Turning off wifi and using LTE doesn't change anything.
Assignee | ||
Comment 1•3 years ago
|
||
This works for me, but a caching issue could be the reason you're being affected. Do you have any more detail about this error? Can you include the certificate info viewable when you click on the lock icon / detail? Try clearing site data / cache for Lando and trying again. If you've visited Lando on both browsers in the past, then the same issue could be affecting both.
Reporter | ||
Comment 2•3 years ago
|
||
If I tap the lock icon all I get is "Secure Connection Failed, (lando url), (red wireframe globe icon) Insecure Connection". Firefox for Android doesn't seem to have a way to delete saved data for just one website, either all or nothing. So I cleared the cache and that did not work. I've definitely visited lando before in Firefox release on android, but I'm not sure about nightly. I did not have beta installed so I installed that and tried and I had the same error. I don't know how to get more info out of this. If you provide a patch or a try build or something that printf_stderrs to the logcat I can run it and get the output.
Reporter | ||
Comment 3•3 years ago
|
||
I tried on two other phones, same error. Three different manufacturers, three different versions of android. Never visited lando on those two other phones.
Assignee | ||
Updated•3 years ago
|
Reporter | ||
Comment 4•3 years ago
|
||
On a fourth device I had an old version of the orphaned firefox nightly preview from july 2020 and it did not have the bug. Using up to date firefox on that same device shows the bug. So maybe this is a bug in Firefox for Android.
Reporter | ||
Comment 5•3 years ago
|
||
On geckoviewexample I get pretty plain error page with error_category_security::error_security_ssl.
Reporter | ||
Comment 6•3 years ago
|
||
Regression range
most likely
https://hg.mozilla.org/mozilla-central/rev/bc61343b5d6809a99d3ca2daf25708f069b042c2
bug 1677548
Assignee | ||
Comment 7•3 years ago
|
||
Thanks Timothy -- I am able to reproduce after updating to the latest Firefox for Android on my Android device. This issue did not affect an older version. Hooking this up to the remote debugger, I can see that the issue is due to this error: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
, which in theory should not affect new, first-time requests. I am able to consistently reproduce this issue now even after deleting site data (and app data, for that matter). Will look into this further.
In the meantime, you can temporarily disable key pinning checks on nightly by setting security.cert_pinning.enforcement_level
to 0
. Obviously this will circumvent some security, but it is a temporary workaround until we get to the bottom of this.
Assignee | ||
Comment 8•3 years ago
|
||
Reproduced on: Firefox Nightly (Nightly 210308 17:04) and Firefox (86.1.1) (Pixel 3a)
Reporter | ||
Comment 9•3 years ago
|
||
Reporter | ||
Updated•3 years ago
|
Comment 11•3 years ago
|
||
In bug 1699162 dholbert pointed out:
Sometimes SSL Labs can help show what the issue is; their analysis is here:
https://www.ssllabs.com/ssltest/analyze.html?d=lando.services.mozilla.com
....which does say "Strict Transport Security (HSTS) Invalid Server provided more than one HSTS header" -- I'm not sure if that's the issue that Firefox-for-Android is complaining about or not.
Indeed this is true:
$ wget -O/dev/null -qS https://lando.services.mozilla.com
HTTP/1.1 200 OK
Server: nginx/1.15.4
Date: Wed, 17 Mar 2021 16:45:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3560
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; font-src 'self' https://code.cdn.mozilla.net; style-src 'self' https://code.cdn.mozilla.net; img-src 'self' *.cloudfront.net *.gravatar.com *.googleusercontent.com; object-src 'none'; frame-ancestors 'none'; manifest-src 'none'; worker-src 'none'; media-src 'none'; frame-src 'none'; base-uri 'none'; report-uri /__cspreport__
X-Content-Security-Policy: default-src 'self'; font-src 'self' https://code.cdn.mozilla.net; style-src 'self' https://code.cdn.mozilla.net; img-src 'self' *.cloudfront.net *.gravatar.com *.googleusercontent.com; object-src 'none'; frame-ancestors 'none'; manifest-src 'none'; worker-src 'none'; media-src 'none'; frame-src 'none'; base-uri 'none'; report-uri /__cspreport__
Strict-Transport-Security: max-age=31556926; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Vary: Cookie
Set-Cookie: lando.services.mozilla.com=eyJsYXN0X2xvY2FsX3JlZmVycmVyIjoiaHR0cHM6Ly9sYW5kby5zZXJ2aWNlcy5tb3ppbGxhLmNvbS8ifQ.YFIyLA.ggqUPRJOFZZNvc03UklTymUcTt8; Domain=lando.services.mozilla.com; Secure; HttpOnly; Path=/
Strict-Transport-Security: max-age=31536000
Via: 1.1 google
Alt-Svc: clear
Duplicates:
Strict-Transport-Security: max-age=31556926; includeSubDomains
Strict-Transport-Security: max-age=31536000
Comment 12•3 years ago
|
||
I'm not sure if it's the same bug, but I'm having a certificate error in Firefox Nightly for Android https://www.autenticacao.gov.pt and https://servicos.min-saude.pt/utente/
When i Access via the stable build i don't get the error.
Reporter | ||
Comment 13•3 years ago
|
||
That seems to be a different problem, please file a new bug.
Comment 14•3 years ago
|
||
:tnikkel - Lets Encrypt has migrated to a longer certificate chain that is more compatible with Android and we've renewed the lando ssl certificate to use this longer certificate chain. Can you test again, it should load now
Reporter | ||
Comment 15•3 years ago
|
||
It works for me now! Thanks!
Description
•