Okhttp: Conscrypt use in Android forces HTTP/1.1

Created on 23 Jun 2019  路  12Comments  路  Source: square/okhttp

Trying to use Conscrypt + OkHttp in Android seems to force HTTP/1.1. I suspect this is rare, since most common options are

  1. AndroidPlatform just works (by a big majority)
  2. Use Google Play provider to upgrade Android without breaking AndroidPlatform (haven't seen this in the wild)

Conscrypt provider + AndroidPlatform seems to result in ALPN not working? You can't easily opt into ConscryptPlatform for a couple of reasons

  1. The ordering picks up AndroidPlatform first
  2. It's a final field after initialization and a lot of frameworks e.g. reactnative would trigger the platform earlier.
android bug
Source
picture yschimke

Most helpful comment

Worth noting that I believe Google's Firestore SDK installs Conscrypt asynchronously behind the scenes. This can create a race condition when setting up new sockets.

picture colinrtwhite on 28 Jun 2019
👍2

All 12 comments

It's working fine on a desktop, just on Android having issues testing.

yschimke picture yschimke on 23 Jun 2019

image

Runtime socket with Conscrypt = org.conscrypt.Java8FileDescriptorSocket
AndroidPlatform uses com.android.org.conscrypt.OpenSSLSocketImpl

yschimke picture yschimke on 23 Jun 2019

Also failing with GMS - com.google.android.gms.org.conscrypt.Java8FileDescriptorSocket

yschimke picture yschimke on 23 Jun 2019

cc @swankjesse curious if this is surprising to you? Should we warn against using Gms provider until we fix this? Everything works, but Http/1.1 certainly isn't optimal.

yschimke picture yschimke on 25 Jun 2019

I'll put a PR up for conscrypt support and Android to bump it to the top.

yschimke picture yschimke on 25 Jun 2019

I鈥檓 surprised GMS doesn鈥檛 work. I don鈥檛 think Conscrypt on Android is common.

swankjesse picture swankjesse on 25 Jun 2019

With GMS

sslSocketClass = com.android.org.conscrypt.OpenSSLSocketImpl

sslSocket is com.google.android.gms.org.conscrypt.Java8FileDescriptorSocket
com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket
com.google.android.gms.org.conscrypt.OpenSSLSocketImpl
com.google.android.gms.org.conscrypt.AbstractConscryptSocket
javax.net.ssl.SSLSocket

yschimke picture yschimke on 25 Jun 2019

I don't think this is urgent, since it's opt-in per app. The default just works. But probably worth fixing in 3.12.x, 3.14.x and 4.1? Choosing high security here, means giving up on HTTP/2 currently :(

yschimke picture yschimke on 25 Jun 2019

Package names from here https://android.googlesource.com/platform/external/conscrypt/+/b578b39/src/main/java/org/conscrypt/NativeCrypto.java#53

cc @flooey

yschimke picture yschimke on 25 Jun 2019

Testing a fix on https://github.com/square/okhttp/pull/5243

yschimke picture yschimke on 26 Jun 2019

Worth noting that I believe Google's Firestore SDK installs Conscrypt asynchronously behind the scenes. This can create a race condition when setting up new sockets.

colinrtwhite picture colinrtwhite on 28 Jun 2019
👍2

My intended fix should handle the socket type changing

yschimke picture yschimke on 28 Jun 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yschimke picture yschimke  路  3Comments
NitzDKoder picture NitzDKoder  路  3Comments
vanshg picture vanshg  路  3Comments
mleibner picture mleibner  路  3Comments
SandroMachado picture SandroMachado  路  3Comments