From 53d2a73e3d0c264f780432d9a7c575caed62b560 Mon Sep 17 00:00:00 2001
From: Chengyuan Zhang <chengyuanzhang@google.com>
Date: Tue, 21 Apr 2020 17:56:39 -0700
Subject: [PATCH] Update SECURITY.md to instruct users disabling Conscrypt's
 TrustManager implementation, which always fails.

---
 SECURITY.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 5b4c75f485f..45d75542bb4 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -232,9 +232,14 @@ import java.security.Security;
 ...
 
 // Somewhere in main()
-Security.insertProviderAt(Conscrypt.newProvider(), 1);
+Security.insertProviderAt(
+    Conscrypt.newProviderBuilder().provideTrustManager(false).build(), 1);
 ```
 
+Note: according to [Conscrypt Implementation Notes](https://github.com/google/conscrypt/blob/2.4.0/IMPLEMENTATION_NOTES.md#hostname-verification),
+its default `HostnameVerifier` on OpenJDK always fails. This can be worked 
+around by disabling its default `TrustManager` implementation as shown above.
+
 ### TLS with Jetty ALPN
 
 **Please do not use Jetty ALPN**