Secure connection failed on a secure website (works on Android Firefox Release/Nightly and Firefox Desktop)

[quaqo]

Steps to reproduce

1. Visit the official website of the Italian Lazio Regional Health System: https://www.salutelazio.it
2. A "Secure Connection Failed" page is showed (this doesn't happen on Firefox Release, nor Nightly on the same device)
3. If "Accept the Risk and Continue" is clicked the connection is shown as secure (as it is on Desktop, Android Release and Android Nightly), but this might be related to [Bug] After pressing on "Accept the Risk and Continue" in the notification "Secure Connection Failed", Firefox Focus marks untrusted by any reason HTTPS site connection as secure (Bugzilla 1714582) #4921

Expected behavior

Firefox Focus should show that the connection is secure, as it is shown on Firefox Release and Nightly.

Actual behavior

A "Secure Connection Failed" page is showed.

Device information

• Android device: Samsung A52 (Android 11)
• Focus version: 8.16.0 (Build #351481538 / 89.0-20210527174632)

Additional information

This doesn't happen on Focus 8.16.0 (same version) on an old Huawei Oreo device I have available.

I tried to enable USB/WiFi debug but I couldn't connect to Focus on the Samsung device, only to Nightly.

[quaqo]

I changed the title as I tested the same behaviour (showing https://www.salutelazio.it as insecure) on the device below. So it seems that the behaviour on the Huawei Oreo device is the exception, and not vice-versa.

Device information

• Android device: Xiaomi Mi A1 (LineageOS 17.1 / Android 10)
• Focus version: 8.16.0 (Build #351481538 / 89.0-20210527174632)

[Nickoriginal]

It seems to be issue in Firefox Stable, Beta, Nightly and Focus. Mobile Google Chrome enters this site normally. Desktop browsers are not affected.

Tested on

Samsung Galaxy A20s (Android 10)

Nightly 2021-06-29T17:37:50.207
91.0a1 (Build #2015819211)
AC: 91.0.20210629143047, 8904b55efe
GV: 91.0a1-20210629092640
AS: 79.0.0

Beta 90.0.0-beta.6 (Build #2015818371)
AC: 90.0.11, 536cb9fe13
GV: 90.0-20210624190035
AS: 77.0.2

Focus 8.16.0 (Build #351481538 🦎 89.0-202105271

Stable 89.1.1 (Build #2015812945) (failed secure connection at the Samsung Galaxy J2 Prime (Android 6.1.1) only)

[quaqo]

Thanks for the feedback! For me it does work on Nightly 2021-06-28T17:31:51.595 though. On both aforementioned devices. I didn't try Beta. It still doesn't work on Focus.

[Nickoriginal]

I think it is a web compatibility bug.

[quaqo]

I think it is a web compatibility bug.

I can't debug it. For me it only fails on Focus... But it seems strange, I mean what's not working is at the certificate verification stage, isn't it?

Do you maybe have any hints on how could debug Focus?

[Nickoriginal]

You can debug Nightly successfully on your Samsung?

[quaqo]

You can debug Nightly successfully on your Samsung?

Correct. But that doesn't give me any useful info as that website does work for me on Nightly.

Still, I'm open to suggestions!

Thanks!

[Nickoriginal]

I'll try to debug Focus on my device tomorrow.

[quaqo]

I'll try to debug Focus on my device tomorrow.

Thank you!

[Nickoriginal]

Hello! I successfully debugged Focus on my device using desktop Firefox, but I don't know what info do you need. How I can provide it?

[quaqo]

Ideally I'd expect to see some kind of evaluation in the debug info during the SSL handshake/certificate validation... Are you able to isolate that section?

[Nickoriginal]

No, I have some info, but it is not useful.

[Nickoriginal]

I'm sorry about that.

[quaqo]

Thanks anyways! I guess I'll wait for somebody on the team to have more instructions. It is a very important website in Italy, especially right now with the COVID pandemic, it serves the whole Rome area (capital city), with COVID testing, vaccine info and booking, etc.

[Nickoriginal]

I can open the same bug in the Fenix repository, because I too experiencing connection issues in the Firefox

[quaqo]

I can open the same bug in the Fenix repository, because I too experiencing connection issues in the Firefox

That makes sense. Thanks!

[mcarare]

Bugzilla issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1718744

[Nickoriginal]

Previously I've checked only Firefox 89.0.2, Chrome 91 and didn't confirmed this issue on desktop browsers, but now explored that ESR 78.11.0 is affected.


Acer Aspire 5742Z, Windows 10 20H2, x86

[Nickoriginal]

@mcarare, do you can provide a new info about this issue in the Bugzilla?

[Nickoriginal]

Thanks!

[quaqo]

Wait, @Nickoriginal and @mcarare. What @Nickoriginal wrote about ESR got me thinking.

I installed a fresh copy of Firefox ESR 78, no "GlobalSign RSA OV SSL CA 2018" intermediate in about:certificate.

I visited https://salutelazio.it/ and got SEC_ERROR_UNKNOWN_ISSUER.

I visit another website with full intermediate chain for "GlobalSign RSA OV SSL CA 2018" such as:

https://www.telenet.be/

In about:certificate I got "GlobalSign RSA OV SSL CA 2018" and https://salutelazio.it/ was secure.

So I downloaded the PEM chain via curl of https://salutelazio.it/ and is missing the intermediate certificate so, @Nickoriginal, you were right. It's a server configuration issue: not all browser can trust the certificate without the intermediate being present in the chain!

Thanks. I'll try to contact the webmaster.

[Nickoriginal]

Preloading the intermediate certificates as described in bug 1520297 would also resolve this one automatically, while now it is tracked as INVALID.

[Nickoriginal]

I'll try to contact the webmaster.

You did it?

[quaqo]

I'll try to contact the webmaster.

You did it?

I did via multiple channels. No reply. It is managed by a govt contractor from what I understand, so it could take a while to have the email routed to the people able to act on it (there's no direct way to contact the tech dept).