mirror of
https://github.com/etesync/android
synced 2024-12-24 07:28:09 +00:00
Enable TLSv1.1 and TLSv1.2 (if available) for Android <5 again
This commit is contained in:
parent
3646a561c6
commit
93464ccf8c
@ -64,4 +64,6 @@ dependencies {
|
|||||||
compile project(':vcard4android')
|
compile project(':vcard4android')
|
||||||
|
|
||||||
compile project(':MemorizingTrustManager')
|
compile project(':MemorizingTrustManager')
|
||||||
|
|
||||||
|
androidTestCompile 'com.squareup.okhttp:mockwebserver:2.6.0-SNAPSHOT'
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,53 @@
|
|||||||
|
/*
|
||||||
|
* Copyright © 2013 – 2015 Ricki Hirner (bitfire web engineering).
|
||||||
|
* All rights reserved. This program and the accompanying materials
|
||||||
|
* are made available under the terms of the GNU Public License v3.0
|
||||||
|
* which accompanies this distribution, and is available at
|
||||||
|
* http://www.gnu.org/licenses/gpl.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
package at.bitfire.davdroid;
|
||||||
|
|
||||||
|
import android.test.InstrumentationTestCase;
|
||||||
|
|
||||||
|
import com.squareup.okhttp.ConnectionSpec;
|
||||||
|
import com.squareup.okhttp.TlsVersion;
|
||||||
|
import com.squareup.okhttp.mockwebserver.MockWebServer;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.Collections;
|
||||||
|
|
||||||
|
public class HttpClientTest extends InstrumentationTestCase {
|
||||||
|
|
||||||
|
final MockWebServer server = new MockWebServer();
|
||||||
|
HttpClient httpClient;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setUp() throws IOException {
|
||||||
|
httpClient = new HttpClient(null, getInstrumentation().getTargetContext().getApplicationContext());
|
||||||
|
|
||||||
|
httpClient.setConnectionSpecs(Collections.singletonList(new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
|
||||||
|
.tlsVersions(TlsVersion.TLS_1_2)
|
||||||
|
.build()));
|
||||||
|
|
||||||
|
server.start();
|
||||||
|
server.useHttps(new SSLSocketFactoryCompat(null), false);
|
||||||
|
|
||||||
|
assertEquals("https", server.url("/").scheme());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void tearDown() throws IOException {
|
||||||
|
server.shutdown();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testTLSVersion() throws IOException {
|
||||||
|
// FIXME
|
||||||
|
/*server.enqueue(new MockResponse().setResponseCode(204));
|
||||||
|
Response response = httpClient.newCall(new Request.Builder()
|
||||||
|
.get().url(server.url("/"))
|
||||||
|
.build()).execute();
|
||||||
|
assertTrue(response.isSuccessful());*/
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -10,10 +10,7 @@ package at.bitfire.davdroid;
|
|||||||
|
|
||||||
import android.content.Context;
|
import android.content.Context;
|
||||||
import android.os.Build;
|
import android.os.Build;
|
||||||
import android.text.TextUtils;
|
|
||||||
|
|
||||||
import com.squareup.okhttp.Authenticator;
|
|
||||||
import com.squareup.okhttp.CertificatePinner;
|
|
||||||
import com.squareup.okhttp.Credentials;
|
import com.squareup.okhttp.Credentials;
|
||||||
import com.squareup.okhttp.Interceptor;
|
import com.squareup.okhttp.Interceptor;
|
||||||
import com.squareup.okhttp.OkHttpClient;
|
import com.squareup.okhttp.OkHttpClient;
|
||||||
@ -27,20 +24,11 @@ import org.slf4j.Logger;
|
|||||||
import java.io.BufferedReader;
|
import java.io.BufferedReader;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.StringReader;
|
import java.io.StringReader;
|
||||||
import java.net.Proxy;
|
|
||||||
import java.security.KeyManagementException;
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
|
||||||
import java.text.SimpleDateFormat;
|
import java.text.SimpleDateFormat;
|
||||||
import java.util.List;
|
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
import java.util.concurrent.TimeUnit;
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
import javax.net.ssl.HostnameVerifier;
|
|
||||||
import javax.net.ssl.SSLContext;
|
|
||||||
import javax.net.ssl.X509TrustManager;
|
|
||||||
|
|
||||||
import at.bitfire.dav4android.BasicDigestAuthenticator;
|
import at.bitfire.dav4android.BasicDigestAuthenticator;
|
||||||
import at.bitfire.dav4android.HttpUtils;
|
|
||||||
import de.duenndns.ssl.MemorizingTrustManager;
|
import de.duenndns.ssl.MemorizingTrustManager;
|
||||||
import lombok.RequiredArgsConstructor;
|
import lombok.RequiredArgsConstructor;
|
||||||
|
|
||||||
@ -60,7 +48,7 @@ public class HttpClient extends OkHttpClient {
|
|||||||
protected String username, password;
|
protected String username, password;
|
||||||
|
|
||||||
|
|
||||||
protected HttpClient(final Logger log, Context context) {
|
protected HttpClient(Logger log, Context context) {
|
||||||
super();
|
super();
|
||||||
this.log = (log != null) ? log : Constants.log;
|
this.log = (log != null) ? log : Constants.log;
|
||||||
this.context = context;
|
this.context = context;
|
||||||
@ -68,16 +56,8 @@ public class HttpClient extends OkHttpClient {
|
|||||||
if (context != null) {
|
if (context != null) {
|
||||||
// use MemorizingTrustManager to manage self-signed certificates
|
// use MemorizingTrustManager to manage self-signed certificates
|
||||||
MemorizingTrustManager mtm = new MemorizingTrustManager(context);
|
MemorizingTrustManager mtm = new MemorizingTrustManager(context);
|
||||||
try {
|
setSslSocketFactory(new SSLSocketFactoryCompat(mtm));
|
||||||
SSLContext sc = SSLContext.getInstance("TLS");
|
setHostnameVerifier(mtm.wrapHostnameVerifier(OkHostnameVerifier.INSTANCE));
|
||||||
sc.init(null, new X509TrustManager[] { mtm }, null);
|
|
||||||
setSslSocketFactory(sc.getSocketFactory());
|
|
||||||
setHostnameVerifier(mtm.wrapHostnameVerifier(OkHostnameVerifier.INSTANCE));
|
|
||||||
} catch (NoSuchAlgorithmException e) {
|
|
||||||
Constants.log.error("Couldn't get SSL Context for MemorizingTrustManager", e);
|
|
||||||
} catch (KeyManagementException e) {
|
|
||||||
Constants.log.error("Key management error while initializing MemorizingTrustManager", e);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// set timeouts
|
// set timeouts
|
||||||
@ -89,7 +69,7 @@ public class HttpClient extends OkHttpClient {
|
|||||||
networkInterceptors().add(userAgentInterceptor);
|
networkInterceptors().add(userAgentInterceptor);
|
||||||
|
|
||||||
// enable verbose logs, if requested
|
// enable verbose logs, if requested
|
||||||
if (log.isTraceEnabled()) {
|
if (this.log.isTraceEnabled()) {
|
||||||
HttpLoggingInterceptor logger = new HttpLoggingInterceptor(new HttpLoggingInterceptor.Logger() {
|
HttpLoggingInterceptor logger = new HttpLoggingInterceptor(new HttpLoggingInterceptor.Logger() {
|
||||||
@Override
|
@Override
|
||||||
public void log(String message) {
|
public void log(String message) {
|
||||||
@ -100,13 +80,13 @@ public class HttpClient extends OkHttpClient {
|
|||||||
int len = line.length();
|
int len = line.length();
|
||||||
for (int pos = 0; pos < len; pos += MAX_LOG_LINE_LENGTH)
|
for (int pos = 0; pos < len; pos += MAX_LOG_LINE_LENGTH)
|
||||||
if (pos < len - MAX_LOG_LINE_LENGTH)
|
if (pos < len - MAX_LOG_LINE_LENGTH)
|
||||||
log.trace(line.substring(pos, pos + MAX_LOG_LINE_LENGTH) + "\\");
|
HttpClient.this.log.trace(line.substring(pos, pos + MAX_LOG_LINE_LENGTH) + "\\");
|
||||||
else
|
else
|
||||||
log.trace(line.substring(pos));
|
HttpClient.this.log.trace(line.substring(pos));
|
||||||
}
|
}
|
||||||
} catch(IOException e) {
|
} catch(IOException e) {
|
||||||
// for some reason, we couldn't split our message
|
// for some reason, we couldn't split our message
|
||||||
log.trace(message);
|
HttpClient.this.log.trace(message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
@ -0,0 +1,178 @@
|
|||||||
|
/*
|
||||||
|
* Copyright © 2013 – 2015 Ricki Hirner (bitfire web engineering).
|
||||||
|
* All rights reserved. This program and the accompanying materials
|
||||||
|
* are made available under the terms of the GNU Public License v3.0
|
||||||
|
* which accompanies this distribution, and is available at
|
||||||
|
* http://www.gnu.org/licenses/gpl.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
package at.bitfire.davdroid;
|
||||||
|
|
||||||
|
import android.os.Build;
|
||||||
|
import android.text.TextUtils;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.Socket;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.LinkedList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.net.ssl.SSLContext;
|
||||||
|
import javax.net.ssl.SSLSocket;
|
||||||
|
import javax.net.ssl.SSLSocketFactory;
|
||||||
|
import javax.net.ssl.X509TrustManager;
|
||||||
|
|
||||||
|
import de.duenndns.ssl.MemorizingTrustManager;
|
||||||
|
import lombok.Cleanup;
|
||||||
|
|
||||||
|
public class SSLSocketFactoryCompat extends SSLSocketFactory {
|
||||||
|
|
||||||
|
private SSLSocketFactory defaultFactory;
|
||||||
|
|
||||||
|
// Android 5.0+ (API level21) provides reasonable default settings
|
||||||
|
// but it still allows SSLv3
|
||||||
|
// https://developer.android.com/about/versions/android-5.0-changes.html#ssl
|
||||||
|
static String protocols[] = null, cipherSuites[] = null;
|
||||||
|
static {
|
||||||
|
try {
|
||||||
|
@Cleanup SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();
|
||||||
|
if (socket != null) {
|
||||||
|
/* set reasonable protocol versions */
|
||||||
|
// - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)
|
||||||
|
// - remove all SSL versions (especially SSLv3) because they're insecure now
|
||||||
|
List<String> protocols = new LinkedList<>();
|
||||||
|
for (String protocol : socket.getSupportedProtocols())
|
||||||
|
if (!protocol.toUpperCase().contains("SSL"))
|
||||||
|
protocols.add(protocol);
|
||||||
|
Constants.log.debug("Setting allowed TLS protocols: " + TextUtils.join(", ", protocols));
|
||||||
|
SSLSocketFactoryCompat.protocols = protocols.toArray(new String[protocols.size()]);
|
||||||
|
|
||||||
|
/* set up reasonable cipher suites */
|
||||||
|
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
|
||||||
|
// choose known secure cipher suites
|
||||||
|
List<String> allowedCiphers = Arrays.asList(
|
||||||
|
// TLS 1.2
|
||||||
|
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||||
|
"TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",
|
||||||
|
// maximum interoperability
|
||||||
|
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
|
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||||
|
// additionally
|
||||||
|
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
|
||||||
|
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
|
||||||
|
List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());
|
||||||
|
Constants.log.debug("Available cipher suites: " + TextUtils.join(", ", availableCiphers));
|
||||||
|
Constants.log.debug("Cipher suites enabled by default: " + TextUtils.join(", ", socket.getEnabledCipherSuites()));
|
||||||
|
|
||||||
|
// take all allowed ciphers that are available and put them into preferredCiphers
|
||||||
|
HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers);
|
||||||
|
preferredCiphers.retainAll(availableCiphers);
|
||||||
|
|
||||||
|
/* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling
|
||||||
|
* ciphers which are enabled by default, but have become unsecure), but I guess for
|
||||||
|
* the security level of DAVdroid and maximum compatibility, disabling of insecure
|
||||||
|
* ciphers should be a server-side task */
|
||||||
|
|
||||||
|
// add preferred ciphers to enabled ciphers
|
||||||
|
HashSet<String> enabledCiphers = preferredCiphers;
|
||||||
|
enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));
|
||||||
|
|
||||||
|
Constants.log.debug("Enabling (only) those TLS ciphers: " + TextUtils.join(", ", enabledCiphers));
|
||||||
|
SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (IOException e) {
|
||||||
|
Constants.log.error("Couldn't determine default TLS settings");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public SSLSocketFactoryCompat(MemorizingTrustManager mtm) {
|
||||||
|
try {
|
||||||
|
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||||
|
sslContext.init(null, (mtm != null) ? new X509TrustManager[] { mtm } : null, null);
|
||||||
|
defaultFactory = sslContext.getSocketFactory();
|
||||||
|
} catch (GeneralSecurityException e) {
|
||||||
|
throw new AssertionError(); // The system has no TLS. Just give up.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void upgradeTLS(SSLSocket ssl) {
|
||||||
|
// Android 5.0+ (API level21) provides reasonable default settings
|
||||||
|
// but it still allows SSLv3
|
||||||
|
// https://developer.android.com/about/versions/android-5.0-changes.html#ssl
|
||||||
|
|
||||||
|
if (protocols != null) {
|
||||||
|
Constants.log.debug("Setting allowed TLS protocols: " + TextUtils.join(", ", protocols));
|
||||||
|
ssl.setEnabledProtocols(protocols);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) {
|
||||||
|
Constants.log.debug("Setting allowed TLS ciphers for Android <5: " + TextUtils.join(", ", protocols));
|
||||||
|
ssl.setEnabledCipherSuites(cipherSuites);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String[] getDefaultCipherSuites() {
|
||||||
|
return cipherSuites;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String[] getSupportedCipherSuites() {
|
||||||
|
return cipherSuites;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
|
||||||
|
Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);
|
||||||
|
if (ssl instanceof SSLSocket)
|
||||||
|
upgradeTLS((SSLSocket)ssl);
|
||||||
|
return ssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
|
||||||
|
Socket ssl = defaultFactory.createSocket(host, port);
|
||||||
|
if (ssl instanceof SSLSocket)
|
||||||
|
upgradeTLS((SSLSocket)ssl);
|
||||||
|
return ssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
|
||||||
|
Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);
|
||||||
|
if (ssl instanceof SSLSocket)
|
||||||
|
upgradeTLS((SSLSocket)ssl);
|
||||||
|
return ssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Socket createSocket(InetAddress host, int port) throws IOException {
|
||||||
|
Socket ssl = defaultFactory.createSocket(host, port);
|
||||||
|
if (ssl instanceof SSLSocket)
|
||||||
|
upgradeTLS((SSLSocket)ssl);
|
||||||
|
return ssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
|
||||||
|
Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);
|
||||||
|
if (ssl instanceof SSLSocket)
|
||||||
|
upgradeTLS((SSLSocket)ssl);
|
||||||
|
return ssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user