From 4920bc0c8175c5b61199bf4c9daebc2a65fdbb3b Mon Sep 17 00:00:00 2001
From: Tom Hacohen <tom@stosb.com>
Date: Thu, 6 Apr 2017 10:04:15 +0100
Subject: [PATCH] SSLSocketFactory: Update the cipher priority list to
 something more secure.

We can assume much safer ciphers since we control the server too and
we don't have to work with old insecure servers.
---
 .../syncadapter/SSLSocketFactoryCompat.java   | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java b/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java
index 53aff476..d04fa654 100644
--- a/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java
+++ b/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java
@@ -54,23 +54,24 @@ public class SSLSocketFactoryCompat extends SSLSocketFactory {
                 /* set up reasonable cipher suites */
                 // choose known secure cipher suites
                 List<String> allowedCiphers = Arrays.asList(
-                        // TLS 1.2
-                        "TLS_RSA_WITH_AES_256_GCM_SHA384",
-                        "TLS_RSA_WITH_AES_128_GCM_SHA256",
-                        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                        // first priority
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+                        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+                        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
                         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-                        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-                        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                        // maximum interoperability
-                        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-                        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-                        "TLS_RSA_WITH_AES_128_CBC_SHA",
-                        // additionally
-                        "TLS_RSA_WITH_AES_256_CBC_SHA",
-                        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+                        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+                        // second priority
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+                        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+                        // compat
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                         "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-                        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
                 );
                 List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());