On Tue, May 12, 2015 at 6:06 AM, Robin Bankhead <[email protected]> wrote:
> Hi Richard, thanks for the reply. I had no awareness of this but it makes > things a lot clearer. > > Trying the stock browser (or Chrome, you never know) doesn't help > matters. Nor does importing my CA cert into the Android security manager. > This shouldn't surprise me because the server cert I'm using is invalid in > another way: it's not hostname-specific (it names the parent domain only). > > I can try making a wildcard cert, but if SNI isn't accepted, will that be? > I believe Mozilla's hosted FxA stack uses wildcard certs but I cannot guarantee it. > What is the SNI issue about anyway? I do seem to recall reading a doc or > bug that dealt with this, but I can't put my hand to it now. If neither > SNI nor a wildcard cert will work I may be SOL, because name-based virtual > hosting is the only option I have available (AFAICT), as the server IP > won't be consistent (depending whether the client is or isn't on the local > subnet). Not sure based on that whether I can make a cert that Android > will be happy enough with. > > I'll try cooking up a wildcard cert in the meantime and see if that does > the job, I was meaning to do it anyway at some point. > I have never been familiar with these details, but the SNI ticket is https://bugzilla.mozilla.org/show_bug.cgi?id=765064 and may give some context. Nick > Thanks, > Robin Bankhead > > > Quoting Richard Newman <[email protected]>: > > Bear in mind that Sync on Android, being an Android SyncAdapter, doesn't >> use Gecko's own network stack. Adding your self-signed cert inside Firefox >> by browsing is not enough to make Sync use it. >> >> Try doing the same via the Android stock browser, which uses the system >> cert store. >> >> You also need to make sure that your service doesn't use SNI. >> >> On Mon, May 11, 2015 at 5:08 AM, Robin Bankhead <[email protected]> >> wrote: >> >> Hello, >>> >>> I've gotten a self-hosted sync-1.5/fxa stack operational across multiple >>> desktop clients, but have hit a problem trying to add an Android client >>> (Fennec 37 on Galaxy SIII, Android Jelly Bean). >>> >>> I've installed callahad's fxa-custom-server-addon and entered my >>> self-hosted auth-server and token-server URLs, which are then visible on >>> the signup and signin screens, but when attempting to sign in I get the >>> error: "unable to connect to network". This comes up after a couple of >>> seconds the first time, then instantly (cached?) thereafter. >>> >>> There are no problems with the phone's connection when doing this, >>> verified on 3G and wifi. I also wiped all of fennec's cache and stored >>> data via the Android Application Manager but this did not help. >>> >>> I am able to go through signin, culminating in a success message, by >>> navigating to https://my-content-server.dom/signin so the server-side >>> seems all well. >>> >>> My servers are all proxied through Apache so the external URLs I gave to >>> the addon are like: >>> >>> https://fxa.mydomain.dom/v1 >>> https://ffsync.mydomain.dom/token/1.0/sync/1.5 >>> >>> Only other comment is that the servers all use a self-signed certificate, >>> but I have made the appropriate exceptions in Fennec before attempting >>> the >>> signin. >>> >>> I will return with some adb logging once I have that worked out, but in >>> the meantime if anyone can suggest where the issue might lie from any of >>> the above, I'd be grateful. >>> >>> Thanks, >>> Robin Bankhead >>> >>> _______________________________________________ >>> Sync-dev mailing list >>> [email protected] >>> https://mail.mozilla.org/listinfo/sync-dev >>> >>> > > > _______________________________________________ > Sync-dev mailing list > [email protected] > https://mail.mozilla.org/listinfo/sync-dev >
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
