Include TLSv1.2 support and make it work on 16 to 19 devices

2025-10-31 02:17:41 +00:00 · 2019-02-20 18:16:37 +01:00 · 2019-02-20 18:16:37 +01:00 · f06732b666
commit f06732b666
parent b22e389f1f
2 changed files with 112 additions and 2 deletions
--- a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpClient.java
+++ b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpClient.java
@ -26,6 +26,7 @@ package com.owncloud.android.lib.common.http;

 import android.content.Context;

+import android.os.Build;
 import com.owncloud.android.lib.common.OwnCloudClientManagerFactory;
 import com.owncloud.android.lib.common.http.interceptors.HttpInterceptor;
 import com.owncloud.android.lib.common.http.interceptors.RequestHeaderInterceptor;
@ -39,8 +40,10 @@ import okhttp3.OkHttpClient;
 import okhttp3.Protocol;

 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
+import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@ -67,9 +70,34 @@ public class HttpClient {
            try {
                final X509TrustManager trustManager = new AdvancedX509TrustManager(
                        NetworkUtils.getKnownServersStore(sContext));
-                final SSLContext sslContext = SSLContext.getInstance("TLS");
+
+                SSLContext sslContext;
+
+                try {
+                    sslContext = SSLContext.getInstance("TLSv1.2");
+                } catch (NoSuchAlgorithmException tlsv12Exception) {
+                    try {
+                        Log_OC.w(TAG, "TLSv1.2 is not supported in this device; falling through TLSv1.1");
+                        sslContext = SSLContext.getInstance("TLSv1.1");
+                    } catch (NoSuchAlgorithmException tlsv11Exception) {
+                        Log_OC.w(TAG, "TLSv1.1 is not supported in this device; falling through TLSv1.0");
+                        sslContext = SSLContext.getInstance("TLSv1");
+                        // should be available in any device; see reference of supported protocols in
+                        // http://developer.android.com/reference/javax/net/ssl/SSLSocket.html
+                    }
+                }
+
                sslContext.init(null, new TrustManager[]{trustManager}, null);

+                SSLSocketFactory sslSocketFactory;
+
+                if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
+                    // TLS v1.2 is disabled by default from API 16 to 19, use custom SSLSocketFactory to enable it
+                    sslSocketFactory = new TLSSocketFactory(sslContext.getSocketFactory());
+                } else {
+                    sslSocketFactory = sslContext.getSocketFactory();
+                }
+
                // Automatic cookie handling, NOT PERSISTENT
                CookieJar cookieJar = new CookieJar() {
                    @Override
@ -97,7 +125,7 @@ public class HttpClient {
                        .writeTimeout(HttpConstants.DEFAULT_DATA_TIMEOUT, TimeUnit.MILLISECONDS)
                        .connectTimeout(HttpConstants.DEFAULT_CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS)
                        .followRedirects(false)
-                        .sslSocketFactory(sslContext.getSocketFactory(), trustManager)
+                        .sslSocketFactory(sslSocketFactory, trustManager)
                        .hostnameVerifier((asdf, usdf) -> true)
                        .cookieJar(cookieJar);
                // TODO: Not verifying the hostname against certificate. ask owncloud security human if this is ok.
--- a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/TLSSocketFactory.java
+++ b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/TLSSocketFactory.java
@ -0,0 +1,82 @@
+/* ownCloud Android Library is available under MIT license
+ *   Copyright (C) 2019 ownCloud GmbH.
+ *
+ *   Permission is hereby granted, free of charge, to any person obtaining a copy
+ *   of this software and associated documentation files (the "Software"), to deal
+ *   in the Software without restriction, including without limitation the rights
+ *   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ *   copies of the Software, and to permit persons to whom the Software is
+ *   furnished to do so, subject to the following conditions:
+ *
+ *   The above copyright notice and this permission notice shall be included in
+ *   all copies or substantial portions of the Software.
+ *
+ *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ *   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ *   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ *   NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ *   BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ *   ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ *   CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ *   THE SOFTWARE.
+ *
+ */
+
+package com.owncloud.android.lib.common.http;
+
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+
+public class TLSSocketFactory extends SSLSocketFactory {
+    private SSLSocketFactory mInternalSSLSocketFactory;
+
+    public TLSSocketFactory(SSLSocketFactory delegate) {
+        mInternalSSLSocketFactory = delegate;
+    }
+
+    @Override
+    public String[] getDefaultCipherSuites() {
+        return mInternalSSLSocketFactory.getDefaultCipherSuites();
+    }
+
+    @Override
+    public String[] getSupportedCipherSuites() {
+        return mInternalSSLSocketFactory.getSupportedCipherSuites();
+    }
+
+    @Override
+    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+        return enableTLSOnSocket(mInternalSSLSocketFactory.createSocket(s, host, port, autoClose));
+    }
+
+    @Override
+    public Socket createSocket(String host, int port) throws IOException {
+        return enableTLSOnSocket(mInternalSSLSocketFactory.createSocket(host, port));
+    }
+
+    @Override
+    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException {
+        return enableTLSOnSocket(mInternalSSLSocketFactory.createSocket(host, port, localHost, localPort));
+    }
+
+    @Override
+    public Socket createSocket(InetAddress host, int port) throws IOException {
+        return enableTLSOnSocket(mInternalSSLSocketFactory.createSocket(host, port));
+    }
+
+    @Override
+    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws
+            IOException {
+        return enableTLSOnSocket(mInternalSSLSocketFactory.createSocket(address, port, localAddress, localPort));
+    }
+
+    private Socket enableTLSOnSocket(Socket socket) {
+        if(socket != null && (socket instanceof SSLSocket)) {
+            ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
+        }
+        return socket;
+    }
+}