New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added AOSP OkHostnameVerifier to have usable default ConscryptHostnameVerifier #867
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work! It seems right to me. Probably tests for OkHostnameVerifier need to be added as well? If this is ready to run, I can verify this with gRPC to check whether it can work with gRPC TLS which wasn't working with Conscrypt 2.4.
I think tests have to be part of this PR: (1) negative test to verify we don't have accept all verifier and (2) positive one to verify this new HostnameVerifier. |
Yeah, Danny is planning to bring over the unit test for |
This PR still can't allow gRPC to connect to GCS server with the same To see why
And the log is as follows (full log is conscrypt-pr-netty4.1.51.txt)
|
@ejona86 Can you take a look at this? |
From my code-read, it seems that there are some mismatch between Netty and Conscrypt. Netty inits the peer's certificates after the handshake finishes. (code) In this case, however, the process of handshake is in progress so certs cannot be there and calling Conscrypt seems to follow this semantics; I think that a solution is adding @prbprbprb @daulet WDTY? |
This is required, as |
This is true, but presumably the code calling On the one hand, passing the handshake session to the hostname verifier guarantees it looks at the leaf certificate even if the calling code only passes in a partial chain1, but I also suspect the shape of the internal APIs were driven by the (ab)use of We can refactor this later if it turns out to be wrong but I don't want to introduce a behaviour change that might cause Android app compat issues as part of this CL.
|
Oh sorry, somehow my email thread didn't include Esun's exception. It sounds like Netty's I hadn't really considered the scenario that stack trace suggests where you are using Netty's It looks like they're maybe calling back into Java from native code to verify certificates (maybe as a prelude to adding them to the handshake SSLContext), but they're also checking whether the certificate is trusted at the same time (otherwise why are they calling I'm fairly confident the Conscrypt approach is correct (I don't think it's unreasonable to expect that an |
As a proof-of-concept (veblush@b8e0514), I tried to change the signature of
and made There is another way to detour this; Introducing
|
@normanmaurer Can you please check #867 (comment) about how Netty and Conscrypt work together? |
Yeah, that's the way I'd do it too...introducing yet another verifier abstraction will lead to future pain. On the face of it this is quite attractive - no behaviour change on Android (because However it leads to some ambiguity with user-supplied So I do have some more questions before we commit to this:
|
I don't know much about the detail on how Netty and Conscrypt works to answer your questions correctly. AFAIK, configuration should be correct. I guess it's expected that the Conscrypt's trust manager is called by Netty because Conscrypt was given as a default security provider by the my benchmark's init code.
FYI, we used to use following code to detour this problem but it has its own problem which cannot support TLS 1.3.
|
In that test Conscrypt is the very first security provider, to improve performance HTTP clients. So it is the default TLS provider or purpose and it just so happens to be the default TrustManager provider. Because the default TLS provider has been classically poor, gRPC uses netty_tcnative if it is available. Long-term we'd like to change that, but it has been the long-standing behavior. By default, Netty will use the default TrustManager. That means gRPC will select netty_tcnative and Netty will use Conscrypt's TrustManager with it. I'd say "everything is working as intended" since the user did specify Conscrypt as the first security provider, and gRPC is not yet favoring Conscrypt if both Conscrypt and tcnative are available.
Isn't it only supposed to be called once? No, it is not a bug that SSLSession lacks the certificate list. As I said earlier it is mandatory per the API. If Conscrypt is setting the certificate chain in SSLSession before the TrustManager processes the chain, then it seems that could be considered a security vulnerability. (Not very severe of a vulnerability on OpenJDK, since it's unlikely for there to be broken code on the JDK since the JDK will throw in that situation. On Android it would be a bigger problem.) |
Fair enough.
Yup, I was correcting my speculation above that maybe Netty was calling once for each peer certificate
I think there's some confusion here. Absolutely certificates can't go into the final Unhelpfully the JSSE ref guide doesn't say whether those parameters may include certificates under consideration, just "In some cases, parameters negotiated during the handshake are needed later in the handshake to make decisions about trust". However I tested on the RI (openjdk 8 and 11) and neither of these populate the certificates in the handshake session, so this looks like another Consrypt "quirk", possibly added just to support the way hostname verification works on Android. There's no vulnerability though, the peer certificates still won't get into the final Anyway, sorry if this seems like a lot of angsting over a small detail, but (1) eventually I think the upshot is:-
tl;dr for Daniel: We should make the interface look like this and the default implementation (used on unbundled android and openjdk) should only look at the
|
4df5eda
to
ab41c26
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Sorry for the delay reviewing, I thought we were still waiting for the HostnameVerifierTest
, I didn't notice that Github was just hiding the diff :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all your work on this!
Danny, thank you for your work! |
initial PR just to go over the path in how I am using the new verifier and plumbing it through the two platforms.
@prbprbprb @veblush