mirror of
https://github.com/element-hq/element-android
synced 2024-11-24 10:25:35 +03:00
Limit supported cipher suites
This commit is contained in:
parent
3a387c5e32
commit
cbcb620ad1
5 changed files with 23 additions and 20 deletions
1
changelog.d/4192.misc
Normal file
1
changelog.d/4192.misc
Normal file
|
@ -0,0 +1 @@
|
|||
Limit supported TLS versions and cipher suites
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
package org.matrix.android.sdk.api
|
||||
|
||||
import okhttp3.ConnectionSpec
|
||||
import org.matrix.android.sdk.api.crypto.MXCryptoConfig
|
||||
import java.net.Proxy
|
||||
|
||||
|
@ -44,6 +45,10 @@ data class MatrixConfiguration(
|
|||
* You can create one using for instance Proxy(proxyType, InetSocketAddress.createUnresolved(hostname, port).
|
||||
*/
|
||||
val proxy: Proxy? = null,
|
||||
/**
|
||||
* TLS versions and cipher suites limitation for unauthenticated requests
|
||||
*/
|
||||
val connectionSpec: ConnectionSpec = ConnectionSpec.RESTRICTED_TLS,
|
||||
/**
|
||||
* True to advertise support for call transfers to other parties on Matrix calls.
|
||||
*/
|
||||
|
|
|
@ -19,6 +19,7 @@ package org.matrix.android.sdk.api.auth.data
|
|||
import android.net.Uri
|
||||
import com.squareup.moshi.JsonClass
|
||||
import okhttp3.CipherSuite
|
||||
import okhttp3.ConnectionSpec
|
||||
import okhttp3.TlsVersion
|
||||
import org.matrix.android.sdk.api.auth.data.HomeServerConnectionConfig.Builder
|
||||
import org.matrix.android.sdk.internal.network.ssl.Fingerprint
|
||||
|
@ -191,32 +192,25 @@ data class HomeServerConnectionConfig(
|
|||
/**
|
||||
* Convenient method to limit the TLS versions and cipher suites for this Builder
|
||||
* Ref:
|
||||
* - https://www.ssi.gouv.fr/uploads/2017/02/security-recommendations-for-tls_v1.1.pdf
|
||||
* - https://www.ssi.gouv.fr/uploads/2017/07/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
|
||||
* - https://developer.android.com/reference/javax/net/ssl/SSLEngine
|
||||
*
|
||||
* @param tlsLimitations true to use Tls limitations
|
||||
* @param enableCompatibilityMode set to true for Android < 20
|
||||
* @return this builder
|
||||
*/
|
||||
@Deprecated("TLS versions and cipher suites are limited by default")
|
||||
fun withTlsLimitations(tlsLimitations: Boolean, enableCompatibilityMode: Boolean): Builder {
|
||||
if (tlsLimitations) {
|
||||
withShouldAcceptTlsExtensions(false)
|
||||
|
||||
// Tls versions
|
||||
addAcceptedTlsVersion(TlsVersion.TLS_1_2)
|
||||
addAcceptedTlsVersion(TlsVersion.TLS_1_3)
|
||||
// TlS versions
|
||||
ConnectionSpec.RESTRICTED_TLS.tlsVersions?.let { this.tlsVersions.addAll(it) }
|
||||
|
||||
forceUsageOfTlsVersions(enableCompatibilityMode)
|
||||
|
||||
// Cipher suites
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
addAcceptedTlsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
ConnectionSpec.RESTRICTED_TLS.cipherSuites?.let { this.tlsCipherSuites.addAll(it) }
|
||||
|
||||
if (enableCompatibilityMode) {
|
||||
// Adopt some preceding cipher suites for Android < 20 to be able to negotiate
|
||||
|
|
|
@ -20,6 +20,7 @@ import com.facebook.stetho.okhttp3.StethoInterceptor
|
|||
import com.squareup.moshi.Moshi
|
||||
import dagger.Module
|
||||
import dagger.Provides
|
||||
import okhttp3.ConnectionSpec
|
||||
import okhttp3.OkHttpClient
|
||||
import okhttp3.logging.HttpLoggingInterceptor
|
||||
import org.matrix.android.sdk.BuildConfig
|
||||
|
@ -29,6 +30,7 @@ import org.matrix.android.sdk.internal.network.TimeOutInterceptor
|
|||
import org.matrix.android.sdk.internal.network.UserAgentInterceptor
|
||||
import org.matrix.android.sdk.internal.network.interceptors.CurlLoggingInterceptor
|
||||
import org.matrix.android.sdk.internal.network.interceptors.FormattedJsonHttpLogger
|
||||
import java.util.Collections
|
||||
import java.util.concurrent.TimeUnit
|
||||
|
||||
@Module
|
||||
|
@ -66,6 +68,8 @@ internal object NetworkModule {
|
|||
httpLoggingInterceptor: HttpLoggingInterceptor,
|
||||
curlLoggingInterceptor: CurlLoggingInterceptor,
|
||||
apiInterceptor: ApiInterceptor): OkHttpClient {
|
||||
val spec = ConnectionSpec.Builder(matrixConfiguration.connectionSpec).build()
|
||||
|
||||
return OkHttpClient.Builder()
|
||||
.connectTimeout(30, TimeUnit.SECONDS)
|
||||
.readTimeout(60, TimeUnit.SECONDS)
|
||||
|
@ -87,6 +91,7 @@ internal object NetworkModule {
|
|||
proxy(it)
|
||||
}
|
||||
}
|
||||
.connectionSpecs(Collections.singletonList(spec))
|
||||
.build()
|
||||
}
|
||||
|
||||
|
|
|
@ -177,15 +177,13 @@ internal object CertUtil {
|
|||
|
||||
val trustPinned = arrayOf<TrustManager>(PinnedTrustManagerProvider.provide(hsConfig.allowedFingerprints, defaultTrustManager))
|
||||
|
||||
val sslSocketFactory: SSLSocketFactory
|
||||
|
||||
if (hsConfig.forceUsageTlsVersions && hsConfig.tlsVersions != null) {
|
||||
val sslSocketFactory = if (hsConfig.forceUsageTlsVersions && !hsConfig.tlsVersions.isNullOrEmpty()) {
|
||||
// Force usage of accepted Tls Versions for Android < 20
|
||||
sslSocketFactory = TLSSocketFactory(trustPinned, hsConfig.tlsVersions)
|
||||
TLSSocketFactory(trustPinned, hsConfig.tlsVersions)
|
||||
} else {
|
||||
val sslContext = SSLContext.getInstance("TLS")
|
||||
sslContext.init(null, trustPinned, java.security.SecureRandom())
|
||||
sslSocketFactory = sslContext.socketFactory
|
||||
sslContext.socketFactory
|
||||
}
|
||||
|
||||
return PinnedSSLSocketFactory(sslSocketFactory, defaultTrustManager!!)
|
||||
|
@ -237,14 +235,14 @@ internal object CertUtil {
|
|||
* @return a list of accepted TLS specifications.
|
||||
*/
|
||||
fun newConnectionSpecs(hsConfig: HomeServerConnectionConfig): List<ConnectionSpec> {
|
||||
val builder = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
|
||||
val builder = ConnectionSpec.Builder(ConnectionSpec.RESTRICTED_TLS)
|
||||
val tlsVersions = hsConfig.tlsVersions
|
||||
if (null != tlsVersions && tlsVersions.isNotEmpty()) {
|
||||
if (!tlsVersions.isNullOrEmpty()) {
|
||||
builder.tlsVersions(*tlsVersions.toTypedArray())
|
||||
}
|
||||
|
||||
val tlsCipherSuites = hsConfig.tlsCipherSuites
|
||||
if (null != tlsCipherSuites && tlsCipherSuites.isNotEmpty()) {
|
||||
if (!tlsCipherSuites.isNullOrEmpty()) {
|
||||
builder.cipherSuites(*tlsCipherSuites.toTypedArray())
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue