Various fixes

* fix minor translation issue that caused DAVdroid to crash when showing an I/O error * don't select TLS ciphers for Android 5.0+ (it has more secure default settings); closes #344
2025-03-06 10:16:09 +00:00 · 2014-11-09 19:58:07 +01:00 · 2014-11-09 19:58:07 +01:00 · cfc71542f5
commit cfc71542f5
parent 487509cb0c
5 changed files with 50 additions and 44 deletions
--- a/AndroidManifest.xml
+++ b/AndroidManifest.xml
@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="at.bitfire.davdroid"
-    android:versionCode="45"
-    android:versionName="0.6.7" android:installLocation="internalOnly">
+    android:versionCode="46"
+    android:versionName="0.6.7.1" android:installLocation="internalOnly">

    <uses-sdk
        android:minSdkVersion="14"
--- a/res/layout/login_email.xml
+++ b/res/layout/login_email.xml
@ -29,7 +29,7 @@
            android:layout_width="0dp"
            android:scrollHorizontally="true"
            android:scrollbars="horizontal"
-            android:hint="myaccount@icloud.com">
+            android:hint="myaccount@myservice.com">
            <requestFocus />
        </EditText>

--- a/src/at/bitfire/davdroid/Constants.java
+++ b/src/at/bitfire/davdroid/Constants.java
@ -9,7 +9,7 @@ package at.bitfire.davdroid;

 public class Constants {
 	public static final String
-		APP_VERSION = "0.6.7",
+		APP_VERSION = "0.6.7.1",
 		ACCOUNT_TYPE = "bitfire.at.davdroid",
 		WEB_URL_HELP = "http://davdroid.bitfire.at/configuration?pk_campaign=davdroid-app",
 		
--- a/src/at/bitfire/davdroid/syncadapter/QueryServerDialogFragment.java
+++ b/src/at/bitfire/davdroid/syncadapter/QueryServerDialogFragment.java
@ -113,7 +113,7 @@ public class QueryServerDialogFragment extends DialogFragment implements LoaderC
 			} catch (URISyntaxException e) {
 				serverInfo.setErrorMessage(getContext().getString(R.string.exception_uri_syntax, e.getMessage()));
 			}  catch (IOException e) {
-				serverInfo.setErrorMessage(getContext().getString(R.string.login_exception_io, e.getLocalizedMessage()));
+				serverInfo.setErrorMessage(getContext().getString(R.string.exception_io, e.getLocalizedMessage()));
 			} catch (HttpException e) {
 				Log.e(TAG, "HTTP error while querying server info", e);
 				serverInfo.setErrorMessage(getContext().getString(R.string.exception_http, e.getLocalizedMessage()));
--- a/src/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java
+++ b/src/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java
@ -127,9 +127,13 @@ public class TlsSniSocketFactory implements LayeredConnectionSocketFactory {
 	
 	@SuppressLint("DefaultLocale")
 	private void setReasonableEncryption(SSLSocket ssl) {
-		// set reasonable SSL/TLS settings before the handshake:
+		// set reasonable SSL/TLS settings before the handshake
 		
-		// - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <4.4.3, if available)
+		// Android 5.0+ (API level21) provides reasonable default settings
+		// but it still allows SSLv3
+		// https://developer.android.com/about/versions/android-5.0-changes.html#ssl
+
+		// - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0, if available)
 		// - remove all SSL versions (especially SSLv3) because they're insecure now
 		List<String> protocols = new LinkedList<String>();
 		for (String protocol : ssl.getSupportedProtocols())
@ -138,43 +142,45 @@ public class TlsSniSocketFactory implements LayeredConnectionSocketFactory {
 		Log.v(TAG, "Setting allowed TLS protocols: " + StringUtils.join(protocols, ", "));
 		ssl.setEnabledProtocols(protocols.toArray(new String[0]));

-		// choose secure cipher suites
-		List<String> allowedCiphers = Arrays.asList(new String[] {
-			// allowed secure ciphers according to NIST.SP.800-52r1.pdf Section 3.3.1 (see docs directory)
-			// TLS 1.2
-			"TLS_RSA_WITH_AES_256_GCM_SHA384",
-			"TLS_RSA_WITH_AES_128_GCM_SHA256",
-			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-			"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-			"TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",
-			// maximum interoperability
-			"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
-			"TLS_RSA_WITH_AES_128_CBC_SHA",
-			// additionally
-			"TLS_RSA_WITH_AES_256_CBC_SHA",
-			"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-			"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-			"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-		});
-		
-		List<String> availableCiphers = Arrays.asList(ssl.getSupportedCipherSuites());
-		
-		// preferred ciphers = allowed Ciphers \ availableCiphers
-		HashSet<String> preferredCiphers = new HashSet<String>(allowedCiphers);
-		preferredCiphers.retainAll(availableCiphers);
-		
-		// add preferred ciphers to enabled ciphers
-		// for maximum security, preferred ciphers should *replace* enabled ciphers,
-		// but I guess for the security level of DAVdroid, disabling of insecure
-		// ciphers should be a server-side task
-		HashSet<String> enabledCiphers = new HashSet<String>(Arrays.asList(ssl.getEnabledCipherSuites()));
-		enabledCiphers.addAll(preferredCiphers);
-		
-		Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", "));
-		ssl.setEnabledCipherSuites(enabledCiphers.toArray(new String[0]));
+		if (android.os.Build.VERSION.SDK_INT < 21) {	
+			// choose secure cipher suites
+			List<String> allowedCiphers = Arrays.asList(new String[] {
+				// allowed secure ciphers according to NIST.SP.800-52r1.pdf Section 3.3.1 (see docs directory)
+				// TLS 1.2
+				"TLS_RSA_WITH_AES_256_GCM_SHA384",
+				"TLS_RSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+				"TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",
+				// maximum interoperability
+				"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+				"TLS_RSA_WITH_AES_128_CBC_SHA",
+				// additionally
+				"TLS_RSA_WITH_AES_256_CBC_SHA",
+				"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
+				"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+				"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+				"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+			});
+			
+			List<String> availableCiphers = Arrays.asList(ssl.getSupportedCipherSuites());
+			
+			// preferred ciphers = allowed Ciphers \ availableCiphers
+			HashSet<String> preferredCiphers = new HashSet<String>(allowedCiphers);
+			preferredCiphers.retainAll(availableCiphers);
+			
+			// add preferred ciphers to enabled ciphers
+			// for maximum security, preferred ciphers should *replace* enabled ciphers,
+			// but I guess for the security level of DAVdroid, disabling of insecure
+			// ciphers should be a server-side task
+			HashSet<String> enabledCiphers = preferredCiphers;
+			enabledCiphers.addAll(new HashSet<String>(Arrays.asList(ssl.getEnabledCipherSuites())));
+			
+			Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", "));
+			ssl.setEnabledCipherSuites(enabledCiphers.toArray(new String[0]));
+		}
 	}
 	
 }