-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
android: more detail for test config verify exception #75
Conversation
...id/rustls-platform-verifier/src/main/java/org/rustls/platformverifier/CertificateVerifier.kt
Show resolved
Hide resolved
f5d114b
to
75964ec
Compare
I'm starting to wonder if instead of these gymnastics we should just back out the |
Recently CI started failing the real world verification suite on Android. The root cause was the vendored Let's Encrypt end entity certificate expiring. Figuring this out was hard for two main reasons: 1. CI was eating the Android logs we needed to see the error message. This has since been fixed. 2. The Android verifier was surfacing the expiration as an unknown issuer error with a generic "Chain validation failed" message. This branch attempts to fix item 2 by surfacing a more relevant error message. Unfortunately doing so is a little bit annoying. The `checkServerTrusted` call throws an exception with ~3 layers of wrapping before you get at the `CertificateExpiredException` that's the root cause. Since non-test configurations should never have an expired exception thrown at this stage (recall we check this explicitly earlier in processing), we gate the more complicated excepting "digging" based on `BuildConfig.TEST`. This should be a good balance of: * not changing existing behaviour, or introducing complexity for normal validation * surfacing a better error message when test certificates expire and start to break CI.
75964ec
to
0bd1947
Compare
@complexspaces WDYT ☝️ vs this branch? In a perfect world we'd fix #59 instead of doing either but I don't think I'll personally be able to find time to work on that solution and it would be nice to have CI report the correct failure before it happens on April 26th (and every 90d afterwards). |
I'm not pushed either way, honestly. If we backed the |
That works for me :-) If you have a chance to put a review on this branch I'll merge when ready. |
Thanks! |
Recently CI started failing the real world verification suite on Android (#68). The root cause was the vendored Let's Encrypt end entity certificate expiring. Figuring this out was hard for two main reasons:
CI was eating the Android logs we needed to see the error message. This has since been fixed (Update Android test action and fix outstanding CI issues #72).
The Android verifier was surfacing the expiration as an unknown issuer error with a generic "Chain validation failed" message.
This branch attempts to fix item 2 by surfacing a more relevant error message.
Unfortunately doing so is a little bit annoying. The
checkServerTrusted
call throws an exception with ~3 layers of wrapping before you get at theCertificateExpiredException
that's the root cause.Since non-test configurations should never have an expired exception thrown at this stage (recall we check this explicitly earlier in processing), we gate the more complicated exception "digging" based on
BuildConfig.TEST
.This should be a good balance of:
Before this fix running the verification test suite back at 6cd0232 before 15d487a landed would produce output like:
Afterwards it logs output like: