Fenix: [Feature Request] Trust user installed certificates on android device

I would like to bring up this issue again, because in combination with #4273, it makes it impossible for users to reach sites that have own certificate authorities (as my university does).

@kosciCZ is this still broken on Firefox Preview Nightly? We've added cert bypassing for most cert cases, including untrusted-root and self-signed.

@liuche yes, I can see it in nightly. Thanks!

Still rejects the AdGuard certificate which is even installed in the system store....

Does this feature request refer to user installed Client certificates as well or should a new Feature request be created

Is this in consideration or is the new Fenix not going to accept third-party certificates at all?

Is this in consideration or is the new Fenix not going to accept third-party certificates at all?

If the certificate is installed in your Android OS store then Firefox should (now) trust the certificate if you enable security.enterprise_roots.enabled in about:config.

But on possible in Beta / Developer / Stable due #9313 / #12288 / #7865

Is this in consideration or is the new Fenix not going to accept third-party certificates at all?

If the certificate is installed in your Android OS store then Firefox should (now) trust the certificate if you enable security.enterprise_roots.enabled in about:config.

Doesn't help. Adguard certificate is in system store and after setting that Firefox nightly still says secure connection failed

Is this in consideration or is the new Fenix not going to accept third-party certificates at all?

If the certificate is installed in your Android OS store then Firefox should (now) trust the certificate if you enable security.enterprise_roots.enabled in about:config.

Doesn't help. Adguard certificate is in system store and after setting that Firefox nightly still says secure connection failed

It works for me after switching the flag on about:config mentioned above.

Note, this is a system level certificate (moved via magisk) and not considered by android as a user certificate. Because a lot of apps don't accept user certificates and without https filtering adguard is almost useless in a lot of apps.

Idk if that needs to be separated into a new issue because it is still technically a user certificate in that it's not a default one.

The only resolution would either be to use the allow directly importing the certificate (old behavior) or trust the system store as well

@unixandria-xda I followed the step above and fenix now trusts the system store it seems. I ran the adguard test page and HTTPS filtering was enabled.

@unixandria-xda I followed the step above and fenix now trusts the system store it seems. I ran the adguard test page and HTTPS filtering was enabled.

AdGuard certificate doesn't automatically install to the system store unless you move it there or with Magisk (both require root access)

@jenabaivab

@unixandria-xda I dont have root access, but the above steps worked great for me, and for a few of my friends, none of which have any rooted devices. Must be device specific then.

There is no way to open about:config on current version of Firefox from Google Play.

Maybe unlock about:config with official relase migration from 68 ESR to 8X? Now need use Nightly.

Unless they're not working on it so fast, and maybe in 2021 at the earliest.

I hope this isn't offtopic but I would welcome some clarity on whether any attention being paid to this issue is in keeping with the opening summary: to have Fenix (which is, as of now, "Firefox" for anyone on recent Android) trust user-installed certificates by default.

I ask because a lot of the discussion above seems to relate to the System cert store and rooting, which are OT to the issue as posted, in my view.

I have seen the following rationale in Moz Support about why the System cert store is not trusted:

As you discovered Firefox for Android is a full browser replacement. It means that we don't depend on the Android phone certificate store. This allows us to provide a consistent experience for users connecting to secure sites across platforms and especially older versions of Android.

That makes perfect sense wrt the System store - it may be dangerously out-of-date on old phones - but not at all for the _User_ cert store, which I think anyone would agree is the device owner's responsibility to manage.

I won't get into use-cases; it seems quite clear that trusting the Android User cert store is simply the expected default behaviour. One shouldn't have to venture into here-be-dragons about:config territory (if I read the above correctly this is still possible though I'm not sure how) to accomplish that; rather, the reverse should be true.

Whether Moz wishes to provide UI to allow users to _diverge_ from the OS-default behaviour is an entirely separate matter.

Can anyone confirm that this remains the focus of this issue, because the commentary above makes me fear otherwise.

My preferred resolution is the old behavior: allowing us to import a certificate directly into Firefox's store, making whether it's a user or system cert irrelevant

My preferred resolution is the old behavior: allowing us to import a certificate directly into Firefox's store, making whether it's a user or system cert irrelevant

I hope you recognise though that that is quite different, both in intent and in scope of remedy, to what this Issue proposes.

The issue is that when a device-owner installs a cert system-wide (in the User store), it's reasonable to expect _all_ network-aware apps to trust that cert by default. It should be down to users who want Firefox to make an _exception_ to that default behaviour, to ask Moz to do the work to expose a UI to permit this.