NetCipherConscrypt (!86) · Merge requests · guardianproject / NetCipher

The source project of this merge request has been removed.

Michael Pöhn requested to merge (removed):conscrypt into master Nov 26, 2019

This is a rough POC for mapping out how to wrap conscrypt into a new SecurityProvider and hooking into that Providers SSLSocketFactory. This way we can configure the configuration new SSLSocket on an API level.

This approach even allows us to remove the Default SSL implementations, for ensuring that only Conscript based Sockets are available:

Security.insertProviderAt(NetCipherConscrypt.newProvider(), 1);
Security.removeProvider("AndroidOpenSSL");
Security.removeProvider("Conscrypt");

I've also added a Sample Application sample-conscrypt for demonstrating how this works.

It's important to understand that libraries using TLS need to do a SSLSocketFactory lookup. Some libraries don't do this correctly, eg: HttpsUrlConnection before Android 8.1 (api 27) will always statically pick the built in SSL provider or fail obtaining a TLS socket.

(Note: This POC uses info.guardianproject.netcipher.client.TlsOnlySocketFactory which is custom built to deal with the quirks of AndroidOpenSSL. It's not a perfect match for Conscrypt and may not yield the strictest available TLS configuration. (eg.: on Build.Version.SDK_INT <= 23 it will not remove TLS1 and TLS1.1 even thou Conscrypt provides TLS1.2 and TLS1.3))

Edited Dec 17, 2019 by Hans-Christoph Steiner

NetCipherConscrypt

Merge request reports