52 lines
2.6 KiB
Markdown
52 lines
2.6 KiB
Markdown
Conscrypt Implementation Notes
|
|
========================================
|
|
|
|
Conscrypt has made some uncommon implementation choices which it's useful to be
|
|
aware of.
|
|
|
|
## TLS 1.3 Cipher Suites
|
|
|
|
The supported cipher suites in TLS 1.3 are always enabled. Attempts to disable
|
|
them by omitting them from calls to
|
|
[`setEnabledCipherSuites()`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites-java.lang.String:A-)
|
|
are ignored.
|
|
|
|
## Hostname Verification
|
|
|
|
Prior to version 2.5.0 Conscrypt's hostname verification (enabled by
|
|
[`setEndpointIdentificationAlgorithm("HTTPS")`](https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLParameters.html#setEndpointIdentificationAlgorithm-java.lang.String-))
|
|
defers entirely to the underlying platform's `HttpsURLConnection` hostname verifier.
|
|
|
|
The default `HostnameVerifier` on OpenJDK rejects all hostnames, and
|
|
so a `HostnameVerifier` or `ConscryptHostnameVerifier`
|
|
must be set in order to use hostname verification on OpenJDK. On Android, the default
|
|
`HostnameVerifier` performs [RFC 2818](https://tools.ietf.org/html/rfc2818)
|
|
hostname validation, so it will work out of the box.
|
|
|
|
As of version 2.5.0, Conscrypt ships with its own default `ConscryptHostnameVerifier`
|
|
and this is used on both Android and OpenJDK. It performs RFC 2818 verification
|
|
and is equivalent to the system `HostnameVerifier` on Android 10 and 11.
|
|
|
|
## AEAD Ciphers
|
|
|
|
Conscrypt's AEAD ciphers do not support incremental processing (i.e. they will
|
|
always return null from calls to
|
|
[`update()`](https://docs.oracle.com/javase/9/docs/api/javax/crypto/Cipher.html#update-byte:A-)).
|
|
Input is only processed on a call to
|
|
[`doFinal()`](https://docs.oracle.com/javase/9/docs/api/javax/crypto/Cipher.html#doFinal--).
|
|
This ensures that the caller cannot work with output data before the
|
|
authenticator has been processed, but it also means that the input data must be
|
|
buffered completely for each operation. This may necessitate splitting larger
|
|
inputs into chunks; see the [BoringSSL
|
|
docs](https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html)
|
|
for a discussion of important factors in doing so safely.
|
|
|
|
## OAEP Digests
|
|
|
|
Conscrypt's OAEP ciphers (eg, `RSA/ECB/OAEPWithSHA-256AndMGF1Padding`) use the
|
|
named digest for both the main digest and the MGF1 digest. This differs from
|
|
the behavior of some other providers, including the ones bundled with OpenJDK,
|
|
which always use SHA-1 for the MGF1 digest. For maximum compatibility, you
|
|
should use `RSA/ECB/OAEPPadding` and initialize it with an
|
|
[`OAEPParameterSpec`](https://docs.oracle.com/javase/9/docs/api/javax/crypto/spec/OAEPParameterSpec.html).
|