1
0
mirror of https://github.com/etesync/android synced 2024-11-22 16:08:13 +00:00

Use Apache HttpClient-Android SSLConnectionSocketFactory

* SSLConnectionSocketFactory is now SNI-capable, so there's no need
  to manage SNI in DAVdroid
* keep secure protocol/cipher suite definitions
* use a patched jar until https://issues.apache.org/jira/browse/HTTPCLIENT-1591 is fixed
This commit is contained in:
R Hirner 2015-01-18 17:04:32 +01:00
parent a7115ad39c
commit 9e082d930b
5 changed files with 92 additions and 197 deletions

View File

@ -35,7 +35,7 @@ configurations.all {
dependencies {
// Apache Commons
compile 'commons-lang:commons-lang:2.6'
compile 'org.apache.commons:commons-io:1.3.2'
compile 'commons-io:commons-io:2.4'
// Lombok for useful @helpers
provided 'org.projectlombok:lombok:1.14.8'
@ -56,9 +56,10 @@ dependencies {
compile 'dnsjava:dnsjava:2.1.6'
// HttpClient 4.3, Android flavour for WebDAV operations
// we have to use our patched version of 4.3.5 to avoid https://issues.apache.org/jira/browse/HTTPCLIENT-1566
compile files('lib/httpclient-android-4.3.5.davdroid1.jar')
// compile 'org.apache.httpcomponents:httpclient-android:4.3.5'
// we have to use our own patched build of 4.3.5.2-SNAPSHOT to avoid
// https://issues.apache.org/jira/browse/HTTPCLIENT-1591
compile files('lib/httpclient-android-4.3.5.2-davdroid1.jar')
// compile 'org.apache.httpcomponents:httpclient-android:4.3.5.2-SNAPSHOT'
// SimpleXML for parsing and generating WebDAV messages
compile('org.simpleframework:simple-xml:2.7.1') {

View File

@ -14,6 +14,8 @@ import java.net.Socket;
import java.net.SocketAddress;
import java.security.cert.CertPathValidatorException;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
@ -29,7 +31,7 @@ import lombok.Cleanup;
public class TlsSniSocketFactoryTest extends TestCase {
private static final String TAG = "davdroid.TlsSniSocketFactoryTest";
TlsSniSocketFactory factory = TlsSniSocketFactory.INSTANCE;
TlsSniSocketFactory factory = TlsSniSocketFactory.getSocketFactory();
private InetSocketAddress sampleTlsEndpoint;
@ -41,7 +43,7 @@ public class TlsSniSocketFactoryTest extends TestCase {
public void testCreateSocket() {
try {
@Cleanup SSLSocket socket = factory.createSocket(null);
@Cleanup Socket socket = factory.createSocket(null);
assertFalse(socket.isConnected());
} catch (IOException e) {
fail();
@ -50,9 +52,7 @@ public class TlsSniSocketFactoryTest extends TestCase {
public void testConnectSocket() {
try {
@Cleanup SSLSocket socket = factory.createSocket(null);
factory.connectSocket(1000, socket, new HttpHost(sampleTlsEndpoint.getHostName()), sampleTlsEndpoint, null, null);
factory.connectSocket(1000, null, new HttpHost(sampleTlsEndpoint.getHostName()), sampleTlsEndpoint, null, null);
} catch (IOException e) {
Log.e(TAG, "I/O exception", e);
fail();
@ -67,7 +67,7 @@ public class TlsSniSocketFactoryTest extends TestCase {
assertTrue(plain.isConnected());
// then create TLS socket on top of it and establish TLS Connection
@Cleanup SSLSocket socket = factory.createLayeredSocket(plain, sampleTlsEndpoint.getHostName(), sampleTlsEndpoint.getPort(), null);
@Cleanup Socket socket = factory.createLayeredSocket(plain, sampleTlsEndpoint.getHostName(), sampleTlsEndpoint.getPort(), null);
assertTrue(socket.isConnected());
} catch (IOException e) {
@ -76,11 +76,8 @@ public class TlsSniSocketFactoryTest extends TestCase {
}
}
public void testSetTlsParameters() throws IOException {
@Cleanup SSLSocket socket = factory.createSocket(null);
factory.setTlsParameters(socket);
String enabledProtocols[] = socket.getEnabledProtocols();
public void testProtocolVersions() throws IOException {
String enabledProtocols[] = factory.protocols;
// SSL (all versions) should be disabled
for (String protocol : enabledProtocols)
assertFalse(protocol.contains("SSL"));
@ -91,27 +88,29 @@ public class TlsSniSocketFactoryTest extends TestCase {
}
public void testHostnameNotInCertificate() {
public void testHostnameNotInCertificate() throws IOException {
try {
// host with certificate that doesn't match host name
// use the IP address as host name because IP addresses are usually not in the certificate subject
InetSocketAddress host = new InetSocketAddress(sampleTlsEndpoint.getAddress().getHostAddress(), 443);
@Cleanup SSLSocket socket = factory.connectSocket(0, null, new HttpHost(host.getHostName()), host, null, null);
final String ipHostname = sampleTlsEndpoint.getAddress().getHostAddress();
InetSocketAddress host = new InetSocketAddress(ipHostname, 443);
@Cleanup Socket socket = factory.connectSocket(0, null, new HttpHost(ipHostname), host, null, null);
fail();
} catch (IOException e) {
assertFalse(ExceptionUtils.indexOfType(e, SSLPeerUnverifiedException.class) == -1);
} catch (SSLException e) {
Log.i(TAG, "Expected exception", e);
assertFalse(ExceptionUtils.indexOfType(e, SSLException.class) == -1);
}
}
public void testUntrustedCertificate() {
public void testUntrustedCertificate() throws IOException {
try {
// host with certificate that is not trusted by default
InetSocketAddress host = new InetSocketAddress("cacert.org", 443);
@Cleanup SSLSocket socket = factory.connectSocket(0, null, new HttpHost(host.getHostName()), host, null, null);
@Cleanup Socket socket = factory.connectSocket(0, null, new HttpHost(host.getHostName()), host, null, null);
fail();
} catch (IOException e) {
} catch (SSLHandshakeException e) {
Log.i(TAG, "Expected exception", e);
assertFalse(ExceptionUtils.indexOfType(e, CertPathValidatorException.class) == -1);
}
}

View File

@ -31,7 +31,7 @@ public class DavHttpClient {
static {
socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory> create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", TlsSniSocketFactory.INSTANCE)
.register("https", TlsSniSocketFactory.getSocketFactory())
.build();
// use request defaults from AndroidHttpClient

View File

@ -7,136 +7,42 @@
*/
package at.bitfire.davdroid.webdav;
import android.annotation.SuppressLint;
import android.annotation.TargetApi;
import android.net.SSLCertificateSocketFactory;
import android.os.Build;
import android.util.Log;
import org.apache.commons.lang.StringUtils;
import org.apache.http.HttpHost;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.conn.ssl.BrowserCompatHostnameVerifierHC4;
import org.apache.http.protocol.HttpContext;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.Arrays;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class TlsSniSocketFactory implements LayeredConnectionSocketFactory {
import lombok.Cleanup;
public class TlsSniSocketFactory extends SSLConnectionSocketFactory {
private static final String TAG = "davdroid.TlsSniSocketFactory";
public final static TlsSniSocketFactory INSTANCE = new TlsSniSocketFactory();
private final static SSLSocketFactory sslSocketFactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
// use BrowserCompatHostnameVerifier to allow IP addresses in the Common Name
private final static HostnameVerifier hostnameVerifier = new BrowserCompatHostnameVerifierHC4();
/*
For TLS connections without HTTPS (CONNECT) proxy:
1) socket = createSocket() is called
2) connectSocket(socket) is called which creates a new TLS connection (but no handshake yet)
3) reasonable encryption settings are applied to socket
4) SNI is set up for socket
5) handshake and certificate/host name verification
Layered sockets are used with HTTPS (CONNECT) proxies:
1) plain = createSocket() is called
2) the plain socket is connected to http://proxy:8080
3) a CONNECT request is sent to the proxy and the response is parsed
4) socket = createLayeredSocket(plain) is called to "upgrade" the plain connection to a TLS connection (but no handshake yet)
5) reasonable encryption settings are applied to socket
6) SNI is set up for socket
7) handshake and certificate/host name verification
*/
@Override
public SSLSocket createSocket(HttpContext context) throws IOException {
return (SSLSocket)sslSocketFactory.createSocket();
public static TlsSniSocketFactory getSocketFactory() {
return new TlsSniSocketFactory(
(SSLSocketFactory) SSLSocketFactory.getDefault(),
new BrowserCompatHostnameVerifierHC4() // use BrowserCompatHostnameVerifier to allow IP addresses in the Common Name
);
}
@Override
public SSLSocket connectSocket(int timeout, Socket sock, HttpHost host, InetSocketAddress remoteAddr, InetSocketAddress localAddr, HttpContext context) throws IOException {
Log.d(TAG, "Establishing direct TLS connection to " + host);
final SSLSocket socket = (sock != null) ? (SSLSocket)sock : createSocket(context);
if (localAddr != null)
socket.bind(localAddr);
// connect the socket on TCP level
socket.connect(remoteAddr, timeout);
// establish and verify TLS connection
establishAndVerify(socket, host.getHostName());
return socket;
}
@Override
public SSLSocket createLayeredSocket(Socket plain, String host, int port, HttpContext context) throws IOException {
Log.d(TAG, "Establishing layered TLS connection to " + host);
// create new socket for TLS connection on top of existing socket
final SSLSocket socket = (SSLSocket)sslSocketFactory.createSocket(plain, host, port, true);
// establish and verify TLS connection
establishAndVerify(socket, host);
return socket;
}
/**
* Establishes and verifies a TLS connection to a (TCP-)connected SSLSocket:
* - set TLS parameters like allowed protocols and ciphers
* - set SNI host name
* - verify host name
* - verify certificate
* @param socket unconnected SSLSocket
* @param host host name for SNI
* @throws SSLPeerUnverifiedException
*/
private void establishAndVerify(SSLSocket socket, String host) throws IOException, SSLPeerUnverifiedException {
setTlsParameters(socket);
setSniHostname(socket, host);
// TLS handshake, throws an exception for untrusted certificates
socket.startHandshake();
// verify hostname and certificate
SSLSession session = socket.getSession();
if (!hostnameVerifier.verify(host, session))
// throw exception for inavlid host names
throw new SSLPeerUnverifiedException(host);
Log.d(TAG, "Established " + session.getProtocol() + " connection with " + session.getPeerHost() +
" using " + session.getCipherSuite());
}
/**
* Prepares a TLS/SSL connection socket by:
* - setting the default TrustManager (as we have created an "insecure" connection to avoid handshake problems before)
* - setting reasonable TLS protocol versions
* - setting reasonable cipher suites (if required)
* @param socket unconnected SSLSocket to prepare
*/
@SuppressLint("DefaultLocale")
void setTlsParameters(SSLSocket socket) {
// Android 5.0+ (API level21) provides reasonable default settings
// but it still allows SSLv3
// https://developer.android.com/about/versions/android-5.0-changes.html#ssl
static String protocols[] = null, cipherSuites[] = null;
static {
try {
@Cleanup SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();
/* set reasonable protocol versions */
// - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)
@ -146,12 +52,12 @@ public class TlsSniSocketFactory implements LayeredConnectionSocketFactory {
if (!protocol.toUpperCase().contains("SSL"))
protocols.add(protocol);
Log.v(TAG, "Setting allowed TLS protocols: " + StringUtils.join(protocols, ", "));
socket.setEnabledProtocols(protocols.toArray(new String[0]));
TlsSniSocketFactory.protocols = protocols.toArray(new String[0]);
/* set reasonable cipher suites */
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
// choose secure cipher suites
List<String> allowedCiphers = Arrays.asList(new String[] {
List<String> allowedCiphers = Arrays.asList(new String[]{
// allowed secure ciphers according to NIST.SP.800-52r1.pdf Section 3.3.1 (see docs directory)
// TLS 1.2
"TLS_RSA_WITH_AES_256_GCM_SHA384",
@ -186,25 +92,14 @@ public class TlsSniSocketFactory implements LayeredConnectionSocketFactory {
enabledCiphers.addAll(new HashSet<String>(Arrays.asList(socket.getEnabledCipherSuites())));
Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", "));
socket.setEnabledCipherSuites(enabledCiphers.toArray(new String[0]));
TlsSniSocketFactory.cipherSuites = enabledCiphers.toArray(new String[0]);
}
} catch (IOException e) {
}
}
@TargetApi(Build.VERSION_CODES.JELLY_BEAN_MR1)
private void setSniHostname(SSLSocket socket, String hostName) {
// set SNI host name
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1 && sslSocketFactory instanceof SSLCertificateSocketFactory) {
Log.d(TAG, "Using documented SNI with host name " + hostName);
((SSLCertificateSocketFactory)sslSocketFactory).setHostname(socket, hostName);
} else {
Log.d(TAG, "No documented SNI support on Android <4.2, trying reflection method with host name " + hostName);
try {
java.lang.reflect.Method setHostnameMethod = socket.getClass().getMethod("setHostname", String.class);
setHostnameMethod.invoke(socket, hostName);
} catch (Exception e) {
Log.w(TAG, "SNI not useable", e);
}
}
public TlsSniSocketFactory(SSLSocketFactory socketfactory, X509HostnameVerifier hostnameVerifier) {
super(socketfactory, protocols, cipherSuites, hostnameVerifier);
}
}