Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cronvoy: support Android TLS mechanism #1575

Closed
carloseltuerto opened this issue Jul 7, 2021 · 0 comments · Fixed by #2525
Closed

Cronvoy: support Android TLS mechanism #1575

carloseltuerto opened this issue Jul 7, 2021 · 0 comments · Fixed by #2525
Assignees
@goaway @DavidSchinazi @RyanTheOptimist
Labels
cronet enhancement New feature or request no stalebot

Comments

@carloseltuerto
Copy link
Contributor

carloseltuerto commented Jul 7, 2021
edited
Loading

Android must control the available root certificates, as users can choose to revoke certificates on their Android devices. Hence, Android provides a Java API to verify a Server certificate. As usual, Cronet has a Java layer allowing JNI interactions with related Android system libraries. That Cronet layer is fairly complex:

Also, to help with testing, there are two methods dealing with root certificates:
@alyssawilk alyssawilk removed their assignment Jul 8, 2021
@danzh2010 danzh2010 mentioned this issue Apr 4, 2022
Closed
@StefanoDuo StefanoDuo mentioned this issue Apr 28, 2022
Merged
@RyanTheOptimist RyanTheOptimist mentioned this issue May 25, 2022
Merged
@StefanoDuo StefanoDuo mentioned this issue Jun 17, 2022
Merged
alyssawilk pushed a commit to envoyproxy/envoy that referenced this issue Aug 3, 2022
@danzh2010
tls: support async cert validation (#21417)
a95d1b7 
Commit Message: change TLS transport socket to use SSL_CTX_set_custom_verify() instead of SSL_CTX_set_verify() and change CertValidator interface to support async cert validation. Also change EnvoyQuicCertVerifier to use the new async interfaces.

This change is needed for envoyproxy/envoy-mobile#1575. Envoy Mobile allows certificates to be verified by the OS-provided certificate verifier. And these verification can be very slow and so blocking the network thread while the verification happens is not an option. Instead, the verification should be performed asynchronously on a different thread. (This is how the cert verification works in Chrome, which is what we're modeling this implementation on).

Risk Level: high, change boring SSL interface used
Testing: added new unit tests and integration tests
Docs Changes: release note
Release Notes: documented tls transport changes.
Runtime guard: envoy.reloadable_features.tls_async_cert_validation

Signed-off-by: Dan Zhang <danzh@google.com>
@StefanoDuo StefanoDuo mentioned this issue Sep 2, 2022
Closed
@danzh2010 danzh2010 mentioned this issue Sep 6, 2022
Merged
Augustyniak pushed a commit that referenced this issue Oct 18, 2022
@danzh2010
cert validation: use Android cert validation APIs (#2525)
6b07e7d 
Description: add engine API to allow user config to use Android cert validation APIs.
Risk Level: high
Testing: added tests in Http2TestServerTest.java
Docs Changes: 
Release Notes:
Fixes #1575
Part of #2144
colibie pushed a commit to colibie/envoy-mobile that referenced this issue Oct 22, 2022
@danzh2010 @colibie
cert validation: use Android cert validation APIs (envoyproxy#2525)
c59a9aa 
Description: add engine API to allow user config to use Android cert validation APIs.
Risk Level: high
Testing: added tests in Http2TestServerTest.java
Docs Changes:
Release Notes:
Fixes envoyproxy#1575
Part of envoyproxy#2144

Signed-off-by: danzh <danzh2010@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@goaway goaway

@DavidSchinazi DavidSchinazi

@RyanTheOptimist RyanTheOptimist

Labels
cronet enhancement New feature or request no stalebot
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cert validation: use Android cert validation APIs danzh2010/envoy-mobile
5 participants
@goaway @DavidSchinazi @alyssawilk @RyanTheOptimist @carloseltuerto