Failure to connect in Firefox

[arobie1992]

I'm getting a failure in Firefox and the error isn't much help.

Uncaught (in promise) 
WebTransportError { source: "session", streamErrorCode: null, name: "WebTransportError", message: "WebTransport connection rejected", code: 0, result: 0, filename: "", lineNumber: 0, columnNumber: 0, data: null }

I'm not seeing anything on the server side so I'm not sure it's even getting to the server. I think it might be related to the certificate and possibly a recent update to Firefox since everything was working perfectly fine up until about two days ago when I updated Firefox. The Firefox version is 124.0.1 64-bit for Mac running Sonoma 14.3. I tried regenerating the certificates since I thought maybe they expired since it'd been about two weeks, but no luck. Here's the command I used:

openssl req -new -x509 -nodes \
    -out cert.pem \
    -keyout key.pem \
    -newkey ec \
    -pkeyopt ec_paramgen_curve:prime256v1 \
    -subj '/CN=localhost' \
    -days 14

I did see the issue about localhost vs 127.0.0.1, but that didn't help, and also #237, but it seems like like it might be a different issue. I was wondering if you'd noticed any changes with the most recent Firefox update and any suggestions on troubleshooting would be greatly appreciated.

[martenrichter]

Could you let me know if you're using serverCertificateHashes? Short story: 1.) Firefox merged a faulty serverCertifcateHashes implementation, which launched in 123: https://bugzilla.mozilla.org/show_bug.cgi?id=1806693 2.) I fixed it: https://bugzilla.mozilla.org/show_bug.cgi?id=1873263 and it will appear in 125, so try it with nightly or the developer edition or wait some time.

So, there is no problem with the package, but the spec was not read correctly. Anyway serverCertificateHashes, would not have worked before 123 anyway.

[arobie1992]

I didn't do anything to explicitly configure serverCertificateHashes, so I don't think so unless FF does something behind the scenes. Here's the web page and server code in case you want to take a look.

I'll try actually passing the cert hashes and see if I can test it out on nightly. Thanks for the info.

[martenrichter]

No, then it is not related if serverCertifiateHashes is not specified. I will take a look at next weekend with firefox on my test cases. But please check nightly, it must be another change on ff side or my side.

[martenrichter]

You generate a certificate for yourself. The certificate seems not to be part of a chain of trust to the root certificates included in Firefox. So, the browser has to reject the connection, and it is not an error but a security feature. A self-generated certificate with a validity lower than 14 days works only if its hash is set in serverCertificateHashes, which you did not do. So, I do not understand why it should have worked in the first place.

[arobie1992]

So, I do not understand why it should have worked in the first place.

That's where I'm at at the moment too. I tested on the latest nightly release, 123.0.1, and 122.0.0 just to be safe and all of them are exhibiting the same behavior, so I did some more reading up on WebTransport's expected behavior and like you said it seems like it should have been failing this whole time. I'm starting to wonder if I configured something within my Firefox installation that I forgot about and later got reset when I updated. If I happen to figure out why it was working I'll update here, but for now, I'm going to close the issue and hopefully get things working with the cert hashes. Thanks for your help.