Add SSL certificates for idp.dev.lcip.org for Android devices

VERIFIED DUPLICATE of bug 889749

Status

Cloud Services
Operations
VERIFIED DUPLICATE of bug 889749
5 years ago
5 years ago

People

(Reporter: nalexander, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa+])

(Reporter)

Description

5 years ago
Like Bug 884008.
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: shyam → nmaul
N.B., all endpoints that'll be touched by Android devices -- this, the corresponding stage environment, eventual production deployment, and other identity-related services -- will all need cross-root certs and such, and cannot use SNI. Them's the breaks.
Assignee: server-ops-webops → nobody
Component: Server Operations: Web Operations → Operations
Product: mozilla.org → Mozilla Services
QA Contact: nmaul
Version: other → unspecified
(Reporter)

Comment 2

5 years ago
Backtrace, trying to POST to https://idp.dev.lcip.org/certificate/sign:

E GeckoLogger(10363)          fennec_ncalexan :: FxAccountSyncAdapter :: Failed to sign.
E GeckoLogger(10363)          javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
E GeckoLogger(10363)          	at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818)
E GeckoLogger(10363)          	at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:752)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:229)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.retryRequest(BaseResource.java:268)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:239)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:296)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.post(BaseResource.java:326)
E GeckoLogger(10363)          	at org.mozilla.gecko.sync.net.BaseResource.post(BaseResource.java:449)
E GeckoLogger(10363)          	at org.mozilla.gecko.background.fxa.FxAccountClient.post(FxAccountClient.java:226)
E GeckoLogger(10363)          	at org.mozilla.gecko.background.fxa.FxAccountClient.sign(FxAccountClient.java:545)
E GeckoLogger(10363)          	at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.onPerformSync(FxAccountSyncAdapter.java:78)
E GeckoLogger(10363)          	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:247)
Whiteboard: [qa+]
(Reporter)

Comment 4

5 years ago
After much investigation, this is a ciphersuite mismatch.  Sorry for the fire-drill, ops.  Closing in favour of Bug 889749.
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 889749
Status: RESOLVED → VERIFIED
For my possible future reference, this seems to be the minimal change to nginx default config that enables the old ciphersuite:

  ssl_ciphers  HIGH:!aNULL:!MD5:RC4-SHA;
You need to log in before you can comment on or make changes to this bug.