Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate TLSv1.3 with Conscrypt #7765

Open
ejona86 opened this issue Dec 28, 2020 · 3 comments
Open

Investigate TLSv1.3 with Conscrypt #7765

ejona86 opened this issue Dec 28, 2020 · 3 comments
Assignees
@sergiitk
Labels
enhancement
Milestone
Next

Comments

@ejona86
Copy link
Member

ejona86 commented Dec 28, 2020
edited
Loading

For some reason Conscrypt is incompatible with TLSv1.3 in ways that I wouldn't expect. It is known incompatible with the default TrustManager on older JDKs because those don't support TLSv1.3. But I explicitly constructed a TrustManagerFactory with the Conscrypt provider and passed it to sslContextBuilder.trustManager(TrustManagerFactory) and it still failed (the stack trace makes it seem like it didn't use the TrustManager I provided):

JDK 8u232 (TlsTest)

java.security.cert.CertificateException: java.lang.IllegalArgumentException: TLSv1.3
    at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1654)
    at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
    at org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:567)
    at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1097)
    at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1081)
    ... 26 more

    Caused by:
    java.lang.IllegalArgumentException: TLSv1.3
        at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:266)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at org.conscrypt.Platform.checkServerTrusted(Platform.java:330)
        at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1646)
        ... 30 more

But there's incompatibilities with JDK 8u275, which supports TLSv1.3, which is super-unfortunate:

java.security.cert.CertificateException: Unknown authType: GENERIC
    at sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:289)
    at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:144)
    at sun.security.validator.Validator.validate(Validator.java:284)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
    at org.conscrypt.Platform.checkServerTrusted(Platform.java:330)
    at org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1646)
    at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
    at org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:567)
    at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1097)
    at org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1081)
@ejona86 ejona86 added this to the Next milestone Dec 28, 2020
@fbacchella
Copy link

Conscrypt needs to use it's own TrustManager when talking to TLS 1.3. For my own code, I needed to explicitly resolve it, and uses the PKIX algorithm.

@beatrausch beatrausch mentioned this issue Oct 21, 2021
Closed
@ejona86
Copy link
Member Author

ejona86 commented Jan 7, 2022

"Unknown authType: GENERIC" is discussed in google/conscrypt#1033

@rbebb
Copy link

rbebb commented May 1, 2024
edited
Loading

Out of curiosity, is TLS 1.3 support expected to be addressed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergiitk sergiitk

Labels
enhancement
Projects
None yet
Milestone
Next
Development

No branches or pull requests
4 participants
@sergiitk @fbacchella @ejona86 @rbebb