SSLSocketFactory: Update the cipher priority list to something more secure.

We can assume much safer ciphers since we control the server too and we don't have to work with old insecure servers.
2025-01-23 14:10:54 +00:00 · 2017-04-06 10:04:15 +01:00 · 2017-04-06 10:04:15 +01:00 · 4920bc0c81
commit 4920bc0c81
parent 3a0c112fad
1 changed files with 15 additions and 14 deletions
--- a/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java
+++ b/app/src/main/java/com/etesync/syncadapter/SSLSocketFactoryCompat.java
@ -54,23 +54,24 @@ public class SSLSocketFactoryCompat extends SSLSocketFactory {
                /* set up reasonable cipher suites */
                // choose known secure cipher suites
                List<String> allowedCiphers = Arrays.asList(
-                        // TLS 1.2
+                        // first priority
-                        "TLS_RSA_WITH_AES_256_GCM_SHA384",
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
-                        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-                        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+                        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
                        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
                        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                        // maximum interoperability
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-                        "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+                        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-                        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+                        // second priority
-                        "TLS_RSA_WITH_AES_128_CBC_SHA",
+                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
-                        // additionally
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-                        "TLS_RSA_WITH_AES_256_CBC_SHA",
+                        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-                        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+                        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                        // compat
                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-                        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
                );
                List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());