From 3a0c112fade89b54c3313f35af5632bf8ac42994 Mon Sep 17 00:00:00 2001 From: Ricki Hirner Date: Sat, 25 Mar 2017 19:51:11 +0100 Subject: [PATCH] Enable SSL_RSA_WITH_3DES_EDE_CBC_SHA for all Android versions * refactor cipher selection --- app/build.gradle | 2 +- .../syncadapter/SSLSocketFactoryCompat.java | 79 +++++++++---------- 2 files changed, 40 insertions(+), 41 deletions(-) diff --git a/app/build.gradle b/app/build.gradle index e7f63e66..6dcd19aa 100644 --- a/app/build.gradle +++ b/app/build.gradle @@ -135,7 +135,7 @@ dependencies { compile group: 'com.madgag.spongycastle', name: 'prov', version: '1.54.0.0' compile group: 'com.google.code.gson', name: 'gson', version: '1.7.2' compile 'com.squareup.okhttp3:logging-interceptor:3.6.0' - provided 'org.projectlombok:lombok:1.16.14' + provided 'org.projectlombok:lombok:1.16.16' // for tests androidTestCompile('com.android.support.test:runner:0.5') { diff --git a/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java b/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java index 95a56e0c..53aff476 100644 --- a/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java +++ b/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java @@ -52,46 +52,45 @@ public class SSLSocketFactoryCompat extends SSLSocketFactory { SSLSocketFactoryCompat.protocols = protocols.toArray(new String[protocols.size()]); /* set up reasonable cipher suites */ - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { - // choose known secure cipher suites - List allowedCiphers = Arrays.asList( - // TLS 1.2 - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - // maximum interoperability - "TLS_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - // additionally - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); - List availableCiphers = Arrays.asList(socket.getSupportedCipherSuites()); - App.log.info("Available cipher suites: " + TextUtils.join(", ", availableCiphers)); - App.log.info("Cipher suites enabled by default: " + TextUtils.join(", ", socket.getEnabledCipherSuites())); - - // take all allowed ciphers that are available and put them into preferredCiphers - HashSet preferredCiphers = new HashSet<>(allowedCiphers); - preferredCiphers.retainAll(availableCiphers); - - /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling - * ciphers which are enabled by default, but have become unsecure), but I guess for - * the security level of DAVdroid and maximum compatibility, disabling of insecure - * ciphers should be a server-side task */ - - // add preferred ciphers to enabled ciphers - HashSet enabledCiphers = preferredCiphers; - enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites()))); - - App.log.info("Enabling (only) those TLS ciphers: " + TextUtils.join(", ", enabledCiphers)); - SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]); - } + // choose known secure cipher suites + List allowedCiphers = Arrays.asList( + // TLS 1.2 + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + // maximum interoperability + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + // additionally + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + ); + List availableCiphers = Arrays.asList(socket.getSupportedCipherSuites()); + App.log.info("Available cipher suites: " + TextUtils.join(", ", availableCiphers)); + + /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus + * disabling ciphers which are enabled by default, but have become unsecure), but for + * the security level of DAVdroid and maximum compatibility, disabling of insecure + * ciphers should be a server-side task */ + + // for the final set of enabled ciphers, take the ciphers enabled by default, ... + HashSet enabledCiphers = new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())); + App.log.info("Cipher suites enabled by default: " + TextUtils.join(", ", enabledCiphers)); + // ... add explicitly allowed ciphers ... + enabledCiphers.addAll(allowedCiphers); + // ... and keep only those which are actually available + enabledCiphers.retainAll(availableCiphers); + + App.log.info("Enabling (only) those TLS ciphers: " + TextUtils.join(", ", enabledCiphers)); + SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]); } } catch (IOException e) { App.log.severe("Couldn't determine default TLS settings");