From 97ae1213312cd7195fdd755358fe367dc7db34b8 Mon Sep 17 00:00:00 2001 From: Ricki Hirner Date: Tue, 25 Aug 2015 22:04:45 +0200 Subject: [PATCH] Exception handling, verbose TLS logs * handle IllegalArgumentException in Tasks provider (show LocalStorageException notification) (closes #601) * add more verbose TLS cipher logs (see #608) --- .../davdroid/resource/LocalCollection.java | 2 +- .../davdroid/webdav/TlsSniSocketFactory.java | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/app/src/main/java/at/bitfire/davdroid/resource/LocalCollection.java b/app/src/main/java/at/bitfire/davdroid/resource/LocalCollection.java index af70cb23..26cfe82f 100644 --- a/app/src/main/java/at/bitfire/davdroid/resource/LocalCollection.java +++ b/app/src/main/java/at/bitfire/davdroid/resource/LocalCollection.java @@ -378,7 +378,7 @@ public abstract class LocalCollection { affected = 1; Log.d(TAG, "... " + affected + " record(s) affected"); pendingOperations.clear(); - } catch(OperationApplicationException | RemoteException ex) { + } catch(IllegalArgumentException|OperationApplicationException|RemoteException ex) { throw new LocalStorageException(ex); } return affected; diff --git a/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java b/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java index 4cdff241..0eedf6f0 100644 --- a/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java +++ b/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java @@ -55,9 +55,9 @@ public class TlsSniSocketFactory extends SSLConnectionSocketFactory { Log.v(TAG, "Setting allowed TLS protocols: " + StringUtils.join(protocols, ", ")); TlsSniSocketFactory.protocols = protocols.toArray(new String[protocols.size()]); - /* set reasonable cipher suites */ + /* set up reasonable cipher suites */ if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { - // choose secure cipher suites + // choose known secure cipher suites List allowedCiphers = Arrays.asList( // TLS 1.2 "TLS_RSA_WITH_AES_256_GCM_SHA384", @@ -78,19 +78,23 @@ public class TlsSniSocketFactory extends SSLConnectionSocketFactory { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); List availableCiphers = Arrays.asList(socket.getSupportedCipherSuites()); + Log.v(TAG, "Available cipher suites: " + StringUtils.join(availableCiphers, ", ")); + Log.v(TAG, "Cipher suites enabled by default: " + StringUtils.join(socket.getEnabledCipherSuites(), ", ")); - // preferred ciphers = allowed Ciphers \ availableCiphers + // take all allowed ciphers that are available and put them into preferredCiphers HashSet preferredCiphers = new HashSet<>(allowedCiphers); preferredCiphers.retainAll(availableCiphers); + /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling + * ciphers which are enabled by default, but have become unsecure), but I guess for + * the security level of DAVdroid and maximum compatibility, disabling of insecure + * ciphers should be a server-side task */ + // add preferred ciphers to enabled ciphers - // for maximum security, preferred ciphers should *replace* enabled ciphers, - // but I guess for the security level of DAVdroid, disabling of insecure - // ciphers should be a server-side task HashSet enabledCiphers = preferredCiphers; enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites()))); - Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", ")); + Log.v(TAG, "Enabling (only) those TLS ciphers: " + StringUtils.join(enabledCiphers, ", ")); TlsSniSocketFactory.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]); } } catch (IOException e) {