Conscrypt 2.5.0 upgrade (#6228)

Conscrypt 2.5.0 upgrade with a workaround for changed Conscrypt API

Author: yschimke

android-test/build.gradle

@@ -47,7 +47,7 @@ dependencies {
   }
   androidTestImplementation "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
   androidTestImplementation "org.bouncycastle:bctls-jdk15on:${versions.bouncycastle}"
-  androidTestImplementation "org.conscrypt:conscrypt-android:2.4.0"
+  androidTestImplementation "org.conscrypt:conscrypt-android:2.5.0"
   androidTestImplementation project(':mockwebserver')
   androidTestImplementation project(':okhttp-tls')
   androidTestImplementation project(':okhttp-dnsoverhttps')

build.gradle

@@ -7,7 +7,7 @@ buildscript {
       'bouncycastle': '1.65',
       'brotli': '0.1.2',
       'checkstyle': '8.28',
-      'conscrypt': '2.4.0',
+      'conscrypt': '2.5.0',
       'corretto': '1.3.1',
       'findbugs': '3.0.2',
       'guava': '28.2-jre',

okhttp/src/main/kotlin/okhttp3/internal/platform/ConscryptPlatform.kt

@@ -17,24 +17,25 @@ package okhttp3.internal.platform
 
 import java.security.KeyStore
 import java.security.Provider
+import java.security.cert.X509Certificate
 import javax.net.ssl.SSLContext
+import javax.net.ssl.SSLSession
 import javax.net.ssl.SSLSocket
 import javax.net.ssl.SSLSocketFactory
 import javax.net.ssl.TrustManager
 import javax.net.ssl.TrustManagerFactory
 import javax.net.ssl.X509TrustManager
 import okhttp3.Protocol
 import org.conscrypt.Conscrypt
+import org.conscrypt.ConscryptHostnameVerifier
 
 /**
  * Platform using Conscrypt (conscrypt.org) if installed as the first Security Provider.
  *
  * Requires org.conscrypt:conscrypt-openjdk-uber >= 2.1.0 on the classpath.
  */
 class ConscryptPlatform private constructor() : Platform() {
-  // n.b. We should consider defaulting to OpenJDK 11 trust manager
-  // https://groups.google.com/forum/#!topic/conscrypt/3vYzbesjOb4
-  private val provider: Provider = Conscrypt.newProviderBuilder().provideTrustManager(true).build()
+  private val provider: Provider = Conscrypt.newProvider()
 
   // See release notes https://groups.google.com/forum/#!forum/conscrypt
   // for version differences
@@ -50,10 +51,28 @@ class ConscryptPlatform private constructor() : Platform() {
       "Unexpected default trust managers: ${trustManagers.contentToString()}"
     }
     val x509TrustManager = trustManagers[0] as X509TrustManager
-    Conscrypt.setHostnameVerifier(x509TrustManager) { _, _ -> true }
+    // Disabled because OkHttp will run anyway
+    Conscrypt.setHostnameVerifier(x509TrustManager, DisabledHostnameVerifier)
     return x509TrustManager
   }
 
+  internal object DisabledHostnameVerifier : ConscryptHostnameVerifier {
+    fun verify(
+      hostname: String?,
+      session: SSLSession?
+    ): Boolean {
+      return true
+    }
+
+    override fun verify(
+      certs: Array<out X509Certificate>?,
+      hostname: String?,
+      session: SSLSession?
+    ): Boolean {
+      return true
+    }
+  }
+
   override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager? = null
 
   override fun configureTlsExtensions(
@@ -83,9 +102,7 @@ class ConscryptPlatform private constructor() : Platform() {
   override fun newSslSocketFactory(trustManager: X509TrustManager): SSLSocketFactory {
     return newSSLContext().apply {
       init(null, arrayOf<TrustManager>(trustManager), null)
-    }.socketFactory.also {
-      Conscrypt.setUseEngineSocket(it, true)
-    }
+    }.socketFactory
   }
 
   companion object {
@@ -94,6 +111,7 @@ class ConscryptPlatform private constructor() : Platform() {
       Class.forName("org.conscrypt.Conscrypt\$Version", false, javaClass.classLoader)
 
       when {
+        // Bump this version if we ever have a binary incompatibility
         Conscrypt.isAvailable() && atLeastVersion(2, 1, 0) -> true
         else -> false
       }