Insecure Implementation of SSL org/conscrypt/Conscrypt.java

[Kevin Mu]

Hello,

I am using Conscrypt version 2.5.2 as the secuirty provider of my Android app with below code piece

try {
    Security.insertProviderAt(Conscrypt.newProvider(), 1)
} catch (e: NoClassDefFoundError) {
    logger.e(throwable = e)
}

However, Android static analysis report complained “Insecure Implementation of SSL” as attached. Looks like 2.5.2 was released 3 years ago, 

just wonder if anyone has this issue reported or some fix had been applied on master branch.

Thanks very much.

Kevin

Trusting all the certificates or
accepti

Kevin Mu Software Engineer Shift4 888.276.2108

[Fabrice Bacchella]

Handling of trust is done in Java code, not openssl.

Le 16 mai 2024 à 01:23, 'Kevin Mu' via conscrypt <cons...@googlegroups.com> a écrit :

Hello,

I am using Conscrypt version 2.5.2 as the secuirty provider of my Android app with below code piece

try {
    Security.insertProviderAt(Conscrypt.newProvider(), 1)
} catch (e: NoClassDefFoundError) {
    logger.e(throwable = e)
}

However, Android static analysis report complained “Insecure Implementation of SSL” as attached. Looks like 2.5.2 was released 3 years ago, 

just wonder if anyone has this issue reported or some fix had been applied on master branch.

<Screenshot 2024-05-15 at 7.12.24 PM.png>

Thanks very much.

Kevin

Trusting all the certificates or
accepti

Kevin Mu Software Engineer Shift4 888.276.2108

--
You received this message because you are subscribed to the Google Groups "conscrypt" group.
To unsubscribe from this group and stop receiving emails from it, send an email to conscrypt+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/conscrypt/876FF01B-1520-4285-8086-1F45341D3C6F%40shift4.com.

[Kevin Mu]

Hi Pete,

Thanks very much for the input. I just added provider in my app without any customized override there in Conscrypt.java, and it actually worked functionaly good in https connection, but the scanning tool complained insecure implementation of Ssl in Conscrypt.java itself. If we have to add our own rootCa in trusted white list and enabling verifying all trust chain in TrustManagerImpl.java to pass the security scan, please advise any pieces of example code as reference, thanks.

Cheers,

Kevin

Kevin Mu Software Engineer Shift4 888.276.2108

On May 16, 2024, at 9:37 AM, Pete Bentley <p...@google.com> wrote:

I think your static analysis tool is a bit over-sensitive, you might want to send some feedback to the vendor. 😀

It's interesting that it flags Conscrypt.java for this, as there is no TrustManager implementation in that class, just some utilities.

The actual TrustManager in Conscrypt (TrustManagerImpl) will accept some self-signed certificates but only the root CAs for the current platform, which is expected.

In general "don't implement your own TrustManager" is sound advice - it's very easy to get wrong in subtle ways that can make your application insecure. However as Conscrypt is the primary TLS Provider on Android, we actually need our own implementation and it seems to be working fine on a billion devices..... 

To view this discussion on the web visit https://groups.google.com/d/msgid/conscrypt/31A25399-02B2-4AFD-AC35-668000D37311%40gmail.com.