Enable TLSv1.3 and harden protocols and cipher suites for Free builds

The Free build bundles a modern Conscrypt which means TLSv1.3 is always
guaranteed no matter android version. So it can always be enabled. Since
it also provides modern cipher suites, there is no need to enable older
protocols than TLSv1.2 (that is: SSLv3, TLSv1.0 and TLSv1.1 which are
all now deprecated).

And the support for modern cipher suites also means there is no need to
explicitly enable the following (obsolete+unsafe) ciphers suites:
 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
on Android API < 21 (Android < 5.0).

No changes are made to the Play builds (since the available security
provider can't be guaranteed to support modern protocols and cipher
suites).
This commit is contained in:
Mats Wahlberg 2020-04-22 16:22:48 +02:00
parent 3f0420544a
commit 4f86047a24
1 changed files with 40 additions and 3 deletions

View File

@ -34,6 +34,7 @@ import javax.net.ssl.X509TrustManager;
import de.danoeh.antennapod.core.preferences.UserPreferences;
import de.danoeh.antennapod.core.service.UserAgentInterceptor;
import de.danoeh.antennapod.core.storage.DBWriter;
import de.danoeh.antennapod.core.util.Flavors;
import okhttp3.Cache;
import okhttp3.CipherSuite;
import okhttp3.ConnectionSpec;
@ -149,7 +150,17 @@ public class AntennapodHttpClient {
});
}
}
if (Build.VERSION.SDK_INT < 21) {
// The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory
// is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and
// that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled.
if (Flavors.FLAVOR == Flavors.FREE) {
builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager());
}
// The Play flavor can not be assumed to have a modern security provider, so for Android
// older than 5.0 CustomSslSocketFactory is used to enable all possible protocols (modern
// and deprecated). And we explicitly enable deprecated cipher suites disabled by default.
else if (Build.VERSION.SDK_INT < 21) {
builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager());
// workaround for Android 4.x for certain web sites.
@ -178,6 +189,9 @@ public class AntennapodHttpClient {
}
}
/**
* Reimplements default trust manager (required for calling sslSocketFactory).
*/
private static X509TrustManager trustManager() {
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
@ -199,13 +213,27 @@ public class AntennapodHttpClient {
AntennapodHttpClient.cacheDirectory = cacheDirectory;
}
/**
* Used to disable deprecated protocols and explicitly enable TLSv1.3 and TLSv1.2, or to enable
* all protocols (including deprecated) up to TLSv1.2, depending on build flavor (Free or Play).
*/
private static class CustomSslSocketFactory extends SSLSocketFactory {
private SSLSocketFactory factory;
public CustomSslSocketFactory() {
try {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
SSLContext sslContext;
// Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed.
if (Flavors.FLAVOR == Flavors.FREE) {
sslContext = SSLContext.getInstance("TLSv1.3");
}
// Play flavor (security provider can vary): only TLSv1.2 is guaranteed.
else {
sslContext = SSLContext.getInstance("TLSv1.2");
}
sslContext.init(null, null, null);
factory= sslContext.getSocketFactory();
} catch(GeneralSecurityException e) {
@ -260,8 +288,17 @@ public class AntennapodHttpClient {
}
private void configureSocket(SSLSocket s) {
// Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are
// guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled.
if (Flavors.FLAVOR == Flavors.FREE) {
s.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2" } );
}
// Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported
// cipher suites may vary. Old protocols might be necessary to keep things working.
else {
s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" } );
}
}
}