-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cronvoy: support Android TLS mechanism #1575
Labels
Comments
alyssawilk
pushed a commit
to envoyproxy/envoy
that referenced
this issue
Aug 3, 2022
Commit Message: change TLS transport socket to use SSL_CTX_set_custom_verify() instead of SSL_CTX_set_verify() and change CertValidator interface to support async cert validation. Also change EnvoyQuicCertVerifier to use the new async interfaces. This change is needed for envoyproxy/envoy-mobile#1575. Envoy Mobile allows certificates to be verified by the OS-provided certificate verifier. And these verification can be very slow and so blocking the network thread while the verification happens is not an option. Instead, the verification should be performed asynchronously on a different thread. (This is how the cert verification works in Chrome, which is what we're modeling this implementation on). Risk Level: high, change boring SSL interface used Testing: added new unit tests and integration tests Docs Changes: release note Release Notes: documented tls transport changes. Runtime guard: envoy.reloadable_features.tls_async_cert_validation Signed-off-by: Dan Zhang <danzh@google.com>
Augustyniak
pushed a commit
that referenced
this issue
Oct 18, 2022
colibie
pushed a commit
to colibie/envoy-mobile
that referenced
this issue
Oct 22, 2022
Description: add engine API to allow user config to use Android cert validation APIs. Risk Level: high Testing: added tests in Http2TestServerTest.java Docs Changes: Release Notes: Fixes envoyproxy#1575 Part of envoyproxy#2144 Signed-off-by: danzh <danzh2010@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Android must control the available root certificates, as users can choose to revoke certificates on their Android devices. Hence, Android provides a Java API to verify a Server certificate. As usual, Cronet has a Java layer allowing JNI interactions with related Android system libraries. That Cronet layer is fairly complex:
AndroidNetworkLibrary.verifyServerCertificates
: that's the main method.AndroidCertVerifyResult
: this is the response to the above method. Requires some JNI invocations from the C++ layer to extirpate the data.X509Util
: that's where the subtle details reside. There are more JNI invocations in there.Also, to help with testing, there are two methods dealing with root certificates:
AndroidNetworkLibrary.addTestRootCertificate
AndroidNetworkLibrary.clearTestRootCertificates
The text was updated successfully, but these errors were encountered: