Document how to use Conscrypt on Android

[ejona86]

No description provided.

[kraghu]

@ejona86 can you update the size of the Conscrypt it will add to the app in read me ?

[ericgribkoff]

I don't think we can put a size in the readme, as new releases of the Conscrypt jar may change the size. There are tools available to figure out the APK size for a library, such as http://www.methodscount.com/?lib=org.conscrypt%3Aconscrypt-android%3A1.0.0.RC9

[ericgribkoff]

LGTM, although we should probably wait until google/conscrypt#276 is fixed to merge this in.

[ericgribkoff]

The "it" here is a little bit confusing. Would it convey the same message to combine this and the previous sentence, into something like this:

Although ALPN mostly works on newer Android releases (especially since 5.0),
there are bugs and discovered security vulnerabilities that are only fixed by
upgrading the security provider. Thus, we recommend using the Play Service
Dynamic Security Provider for all Android versions.

[ericgribkoff]

Quick update: as pointed out on google/conscrypt#276, our OkHttpProtocolNegotiator.AndroidNegotiator#pickTlsExtensionType code is deciding based on the detected API level not to turn on ALPN for older devices, unless the GMSCore OpenSSL provider is found. Adding Conscrypt doesn't change the result of this check, so it's only enabling NPN. I'll send out a fix for this.

Additionally, on the devices I've tested, the instructions here require removing the existing provider (Security.removeProvider("AndroidOpenSSL");) before installing Conscrypt to take its place, although I'll have to look into this a bit more as I'm not confident that this is the most robust way to handle this.

[ejona86]

Additionally, on the devices I've tested, the instructions here require removing the existing provider (Security.removeProvider("AndroidOpenSSL");) before installing Conscrypt to take its place, although I'll have to look into this a bit more as I'm not confident that this is the most robust way to handle this.

We should discuss this some, as I'm having to figure out how I want to detect Conscrypt with OpenJDK. But as a basic workaround you can do Security.addProvider(Conscrypt.newProvider("SomeDifferentName")).

[kraghu]

@ericgribkoff @ejona86 am still waiting on this update. Please keep me posted asap. I also noticed when i run debugger for some weird reason grpc calls work on api 19 devices.

If it helps I also notices api 19 devices available in the market are really lower api devices got upgraded at least in UI terms they behave exactly like 15 or 16 .

[ejona86]

@ericgribkoff, I just thought of a hack that I think will work for @kraghu until we fix the gRPC bug. Just name Conscrypt "GmsCore_OpenSSL". That will avoid the Android version detection.

Security.insertProviderAt(Conscrypt.newProvider("GmsCore_OpenSSL"), 1);

(insertProviderAt(blah, 1) makes sure it is clear it is the most-preferred provider. While the addProvider(blah) would work today, we feel we will need to make some changes in the search order that could break it in the future.)

[kraghu]

@ejona86 @ericgribkoff I tried this approach . No Luck :( It is throwing

GRPC ERROR:Status{code=UNAVAILABLE, description=null, cause=javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x636b66c0: Failure in SSL library, usually a protocol error
    error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x5d4e17d0:0x00000000)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)
        at io.grpc.okhttp.OkHttpProtocolNegotiator.negotiate(OkHttpProtocolNegotiator.java:103)
        at io.grpc.okhttp.OkHttpProtocolNegotiator$AndroidNegotiator.negotiate(OkHttpProtocolNegotiator.java:169)
        at io.grpc.okhttp.OkHttpTlsUpgrader.upgrade(OkHttpTlsUpgrader.java:76)
        at io.grpc.okhttp.OkHttpClientTransport$1.run(OkHttpClientTransport.java:433)
        at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:117)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
        at java.lang.Thread.run(Thread.java:841)
     Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x636b66c0: Failure in SSL library, usually a protocol error
    error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x5d4e17d0:0x00000000)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
        	... 8 more
    }

[ejona86]

Closed in favor of #3971.