Add support for ECH on Android 37 by yschimke · Pull Request #9383 · square/okhttp

yschimke · 2026-03-19T16:41:28Z

Adds an Android 17 platform path that uses public Android APIs for ALPN, session tickets, domain encryption policy, and ECH socket configuration.
Uses Android DnsResolver HTTPS/SVCB lookups to capture ECH configuration records alongside address resolution.
Introduces typed ECH DNS records so Dns implementations can expose platform-specific ECH data without returning raw Any values.
Applies Android EchConfigList values to TLS sockets when the active EchMode attempts ECH.
Uses NetworkSecurityPolicy.getDomainEncryptionMode() to select the ECH mode for each host.
Retries once without ECH when the platform reports an ECH configuration mismatch and the active mode permits fallback.
Tags live external ECH checks as Remote so they don't run in normal CI.
Includes CI cleanup for the AGP source-set API change and Android localhost cleartext test traffic.

Validation is mostly local Android/JVM compile and API checks, plus host-side tests for the DNS/ECH policy plumbing. The live ECH tests remain opt-in because
they depend on external servers.

# Conflicts: # android-test/build.gradle.kts # android-test/src/androidDeviceTest/java/okhttp/android/test/EchTest.kt # okhttp/build.gradle.kts

# Conflicts: # gradle/libs.versions.toml # okhttp/build.gradle.kts

+          emulator-options: >
+            -no-window
+            -gpu swiftshader_indirect
+            -noaudio


+          emulator-options: >
+            -no-window
+            -gpu swiftshader_indirect
+            -noaudio


yschimke and others added 13 commits January 16, 2026 11:23

Testing ECH in Android Platform

4f8e286

More testing

e21fd68

Fixes

8b062b8

Merge branch 'master' into testing_ech

292d40a

# Conflicts: # android-test/build.gradle.kts # android-test/src/androidDeviceTest/java/okhttp/android/test/EchTest.kt # okhttp/build.gradle.kts

Fixes

5b46c86

Fixes

7e08fcb

Fixes

9692d67

Fixes

7ec38bf

More fixes

33c62cd

More fixes

2ea576e

More fixes

cc06a75

More fixes

cbecbaa

Refactor

487bc99

yschimke mentioned this pull request Mar 19, 2026

Encrypted SNI or ClientHello #6539

Closed

yschimke added 2 commits April 4, 2026 22:30

Merge branch 'master' into testing_ech

2d8237e

Android API 37

7029d12

This comment has been minimized.

Sign in to view

Testing with robolectric also

ae060bb

yschimke mentioned this pull request Apr 5, 2026

Basic TLS Encrypted ClientHello (ECH) support (java layer) google/conscrypt#1406

Open

yschimke and others added 6 commits April 30, 2026 15:54

Merge branch 'master' into testing_ech

dc0f8ca

# Conflicts: # gradle/libs.versions.toml # okhttp/build.gradle.kts

More fixes

1a05f84

Fix ECH branch CI failures

e034658

Avoid AGP source set cast for android tests

04f4a43

Permit localhost cleartext in Android tests

8702756

Document ECH public APIs

ffe3d69

yschimke changed the title ~~Testing ech~~ Add support for ECH on Android 37 May 4, 2026

yschimke marked this pull request as ready for review May 4, 2026 10:19

yschimke force-pushed the testing_ech branch from d010489 to e4a5c1a Compare May 4, 2026 10:38

yschimke requested a review from swankjesse May 4, 2026 10:51

yschimke force-pushed the testing_ech branch from e4a5c1a to 07d48c3 Compare May 4, 2026 10:51

yschimke force-pushed the testing_ech branch 4 times, most recently from a2bf44c to 4d5b91f Compare May 4, 2026 12:13

Harden Android ECH support

b2652bb

yschimke force-pushed the testing_ech branch from 4d5b91f to b2652bb Compare May 4, 2026 12:26

yschimke added 4 commits May 4, 2026 13:52

Temporarily focus CI on Android API 37

ccde3d3

Use explicit adb path for Android 37 CI

1b74946

Fix Android 37 cleanup workflow syntax

d71c148

Split Android 37 CI into separate job

1fb1f76

github-advanced-security AI found potential problems May 4, 2026

View reviewed changes

Comment thread .github/workflows/build.yml

emulator-options: >

-no-window

-gpu swiftshader_indirect

-noaudio

github-advanced-security AI found potential problems May 4, 2026

View reviewed changes

Comment thread .github/workflows/build.yml

emulator-options: >

-no-window

-gpu swiftshader_indirect

-noaudio

yschimke added 7 commits May 4, 2026 15:52

Wait for Android 37 package services

5febd47

Try Android 37 Play Store system image

b890bb3

Isolate Android 37 emulator job

ec7e36d

Initialize OkHttp in public suffix Android test

892472b

Re-enable regular build jobs

72742fe

Restore conditional build job gates

8cd005f

Pin Android 37 workflow actions

994fe6f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for ECH on Android 37#9383

Add support for ECH on Android 37#9383
yschimke wants to merge 34 commits intosquare:masterfrom
yschimke:testing_ech

yschimke commented Mar 19, 2026 •

edited

Loading

Uh oh!

This comment has been minimized.

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

yschimke commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment has been minimized.

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

yschimke commented Mar 19, 2026 •

edited

Loading