Possible fix to ECDH secp256r1-only cipher suite issue.

2017-04-13 00:01:02 -04:00 · 2017-04-13 00:01:02 -04:00 · 692dc0e527
parent b7eb5b3271
commit 692dc0e527
3 changed files with 38 additions and 1 deletions
--- a/app/build.gradle
+++ b/app/build.gradle
@ -19,6 +19,9 @@ android {
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }
    }
+    lintOptions {
+        disable 'MissingTranslation'
+    }
 }

 dependencies {
--- a/app/src/main/java/com/keylesspalace/tusky/OkHttpUtils.java
+++ b/app/src/main/java/com/keylesspalace/tusky/OkHttpUtils.java
@ -49,10 +49,14 @@ class OkHttpUtils {
     * ConnectionSpec.MODERN_TLS) and if that doesn't work falls back to the set of ALL enabled,
     * then falls back to plain http.
     *
+     * API level 24 has a regression in elliptic curves where it only supports secp256r1, so this
+     * first tries a fallback without elliptic curves at all, and then tries them after.
+     *
     * TLS 1.1 and 1.2 have to be manually enabled on API levels 16-20.
     */
    @NonNull
    static OkHttpClient.Builder getCompatibleClientBuilder() {
+
        ConnectionSpec fallback = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .allEnabledCipherSuites()
                .supportsTlsExtensions(true)
@ -60,6 +64,7 @@ class OkHttpUtils {

        List<ConnectionSpec> specList = new ArrayList<>();
        specList.add(ConnectionSpec.MODERN_TLS);
+        addNougatFixConnectionSpec(specList);
        specList.add(fallback);
        specList.add(ConnectionSpec.CLEARTEXT);

@ -74,6 +79,36 @@ class OkHttpUtils {
        return getCompatibleClientBuilder().build();
    }

+    /**
+     * Android version Nougat has a regression where elliptic curve cipher suites are supported, but
+     * only the curve secp256r1 is allowed. So, first it's best to just disable all elliptic
+     * ciphers, try the connection, and fall back to the all cipher suites enabled list after.
+     */
+    private static void addNougatFixConnectionSpec(List<ConnectionSpec> specList) {
+        if (Build.VERSION.SDK_INT != Build.VERSION_CODES.N) {
+            return;
+        }
+        SSLContext sslContext;
+        try {
+            sslContext = SSLContext.getInstance("TLS");
+        } catch (NoSuchAlgorithmException e) {
+            Log.e(TAG, "Failed obtaining TLS Context.");
+            return;
+        }
+        String[] cipherSuites = sslContext.getSocketFactory().getDefaultCipherSuites();
+        ArrayList<String> allowedList = new ArrayList<>();
+        for (String suite : cipherSuites) {
+            if (!suite.contains("ECDH")) {
+                allowedList.add(suite);
+            }
+        }
+        ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
+                .cipherSuites(allowedList.toArray(new String[0]))
+                .supportsTlsExtensions(true)
+                .build();
+        specList.add(spec);
+    }
+
    private static OkHttpClient.Builder enableHigherTlsOnPreLollipop(OkHttpClient.Builder builder) {
        if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22) {
            try {
--- a/app/src/main/res/values/strings.xml
+++ b/app/src/main/res/values/strings.xml
@ -20,7 +20,6 @@
    <string name="title_notifications">Notifications</string>
    <string name="title_public_local">Local</string>
    <string name="title_public_federated">Federated</string>
-    <string name="title_compose">Compose</string>
    <string name="title_thread">Thread</string>
    <string name="title_tag">#%s</string>
    <string name="title_statuses">Posts</string>