New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
okhttp: support Conscrypt security provider #3971
Conversation
63f249d
to
b3350be
Compare
assertEquals(TlsExtensionType.ALPN_AND_NPN, tlsExtensionType); | ||
|
||
// Clean up | ||
Security.removeProvider(fakeConscrypt.getName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try-finally or similar (could maybe remove it unconditionally in the @After
).
SECURITY.md
Outdated
import java.security.Security; | ||
... | ||
|
||
Security.addProvider(Conscrypt.newProvider()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should prefer insertProviderAt so that Conscrypt can be prioritized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
*/ | ||
private static Provider getAndroidSecurityProvider() { | ||
for (String providerClassName : ANDROID_SECURITY_PROVIDERS) { | ||
for (String providerName : ANDROID_SECURITY_PROVIDERS) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should loop through the providers in order and choose the first we can use. That way the user has some way of configuring our behavior, and our behavior will better match expectations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
c9808f6
to
8a71766
Compare
Moved the logic to decide what TLS extensions are available into Worth noting: recent Android builds have AndroidNSSP (Android Network Security Policy) as the #1 security provider. I haven't looked into it, but it might be worthwhile adding this to the list of recognized security providers later. |
@ejona86 FYI this was heavily refactored/redone since the earlier approval, so I'm holding off on merging until you have a chance to (re)review |
This addresses #3966 and incorporates the text changes to
SECURITY.md
from #3301. Tested withorg.conscrypt:conscrypt-android:1.0.0.RC14
, as well as Google Play's security provider.This changes our detection of the Google Play security provider from using the class name to the provider name,
GmsCore_OpenSSL
. This would seem to be equally as stable, and recent versions of OkHttp do the check similarly, although I realized in testing this that OkHttp usesGMSCore_OpenSSL
, which did not work in my tests (checking elsewhere, it should indeed beGmsCore_OpenSSL
, and the lookup is case-sensitive).