Comments (16)
@dave-r12 ah ok, makes sense. Yeah, the engine-based socket should make things easier for you then, since there's no black magic involved (e.g. writing to the FD directly via JNI).
If for some reason you decide to use Conscrypt's SSLEngine
directly, it should handle all of the security concerns for you ... after all, that's its job :)
from conscrypt.
I briefly looked at this a while ago. There seem to be a lot of fiddly interaction with FileDescriptor
instances to make sockets work correctly.
from conscrypt.
@kruton the new socket won't have a FileDescriptor
, so I would think it should make things simpler, no? Or is something else trying to access the underlying file?
from conscrypt.
Maybe it won't matter since you're basically going to be only reading from the wrapped Socket
's InputStream
. However, this may be a performance regression because you'd have to make at least one more copy now. One to get data from the OS copied to the underlying Socket
buffer and then another one to copy the received data into BoringSSL.
from conscrypt.
@kruton Agreed ... we need to benchmark the new socket on android to confirm there is no performance regression (#10)
from conscrypt.
Re-targeting for 1.0.0
. We need this to properly handle closures of the underlying FD.
from conscrypt.
@flooey can we throw the flag and make this the default? It would be good to make the switch before 1.0.0 if possible.
from conscrypt.
Android needs the socket implementation to support renegotiation (which has no tests, so you need to fix that first... which will needs someone with TLS expertise and a lot of time to test, see #228 ). The engine implementation does not support renegotiation. Merely adding renegotiation support to the engine implementation will also take someone with a even more TLS expertise. (BoringSSL tightly limits renegotiation for security reasons and you all will need to think hard about how it is exposed via engine as a result of those.)
I don't think you'll be able to do this for 1.0.0 if you want that done soon.
[Edit: fixed bug number]
from conscrypt.
@davidben ok thanks, I guess we'll punt on this for now then.
from conscrypt.
Once this change is completed, will it then be possible to count the number of bytes used by the SSLSocket
? Seems the OpenSSL implementation does a JNI call so there is no way to capture the number of bytes written/read to the underlying socket.
from conscrypt.
@dave-r12 could you just use a delegate socket that counts the bytes written?
from conscrypt.
@nmittler I think I've done just that. Is this what you mean? I created a DelegatingSocket
class that extends Socket. All methods get delegated except getInputStream()
and getOutputStream()
. These get wrapped so the bytes get counted. But this will only work if the SSLSocket
writes to the underlying Socket input/output streams.
from conscrypt.
@dave-r12 yeah that's right.
But this will only work if the SSLSocket writes to the underlying Socket input/output streams.
The engine-based socket currently uses the underlying socket's streams directly. I had explored writing to a channel (if the underlying socket has one), but the performance improvement seemed relatively minor and not worth the added complexity. Even if we were using channels, your delegation pattern could account for that as well.
I'm assuming that you are currently using the FD-based socket? What is your byte-counting strategy for that?
from conscrypt.
The engine-based socket currently uses the underlying socket's streams directly.
Gotcha, thanks. I believe that answers my question (assuming you don't change the implementation.)
I'm assuming that you are currently using the FD-based socket? What is your byte-counting strategy for that?
I'm stuck 'cause it's making JNI calls. The only other idea I had was to use an SSLEngine
and do everything manually. I'm nervous though, I don't want to screw up security! And I've read it wasn't given much love in earlier versions of Android.
from conscrypt.
@flooey is this still on the radar? It would be good to have a single socke impl.
from conscrypt.
@nmittler It's still something I'd like to do but other things have been above it on the priority list. The main blocker is #433, which I haven't been able to make progress on diagnosing yet.
from conscrypt.
Related Issues (20)
- Decrypt conscrypt code
- Additional secure PSK cipher suites
- Need help to understand this point of validating the trust. HOT 2
- signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10000012c HOT 6
- Virtual thread pinning using Conscrypt with Socket APIs HOT 5
- jmigrate reports errors with org.conscrypt.Platform library HOT 1
- Remove sun.security.x509 dependency
- Can armeabi architecture be supported?
- May I ask how to build Android so files? HOT 2
- OpenSSLX509CRLEntry.hasUnsupportedCriticalExtension shouldn't call X509_supported_extensions HOT 2
- Sangat Berpuas Hati Dengan meneruskan, anda bersetuju Google menggunakan jawapan, maklumat akaun & sistem anda untuk meningkatkan perkhidmatan, mengikut Privasi & Syarat kami . HOT 1
- Native crash with latest BoringSSL HOT 8
- Recommended way to use Pre-Shared Key ?
- OkHttp Websocket connection failing few seconds after getting connected HOT 2
- RSA "NoPadding" encryption is considered not secure but required by conscrypt to support TLS RSA-PSS signing algorithm HOT 8
- SSP... VLMC.Hammer HOT 2
- Compatibility Issue with GLIBC 2.12 on CentOS 6
- how to mock chrome tls or ja3 fingerprint?
- Is there a plan to change the pseudo random number code from SHA-1 to SHA-2?
- libconscrypt_jni.so is not 16kb aligned for Android HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from conscrypt.