diff options
author | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-09-27 19:35:50 +0200 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-09-27 19:35:50 +0200 |
commit | f42c1e5491d30a94ec83310425ca400ab030439d (patch) | |
tree | 6e8131761517d9d4331c4059116575c68fd522c0 | |
parent | 74ebabb6156cd62e8fb877f08caf3c88f357fdcd (diff) | |
download | libcore-f42c1e5491d30a94ec83310425ca400ab030439d.zip libcore-f42c1e5491d30a94ec83310425ca400ab030439d.tar.gz libcore-f42c1e5491d30a94ec83310425ca400ab030439d.tar.bz2 |
disable sslv3, enable tlsv1.1/tlsv1.2, remove weak ciphers
6 files changed, 41 insertions, 128 deletions
diff --git a/luni/src/main/java/libcore/net/http/HttpConnection.java b/luni/src/main/java/libcore/net/http/HttpConnection.java index 4a6e65d..ea11ab4 100644 --- a/luni/src/main/java/libcore/net/http/HttpConnection.java +++ b/luni/src/main/java/libcore/net/http/HttpConnection.java @@ -188,8 +188,7 @@ final class HttpConnection { * * @param sslSocketFactory Source of new {@code SSLSocket} instances. * @param tlsTolerant If true, assume server can handle common - * TLS extensions and SSL deflate compression. If false, use - * an SSL3 only fallback mode without compression. + * TLS extensions and SSL deflate compression. */ public void setupSecureSocket(SSLSocketFactory sslSocketFactory, boolean tlsTolerant) throws IOException { @@ -202,9 +201,8 @@ final class HttpConnection { openSslSocket.setUseSessionTickets(true); openSslSocket.setHostname(address.uriHost); // use SSLSocketFactory default enabled protocols - } else { - unverifiedSocket.setEnabledProtocols(new String [] { "SSLv3" }); } + // force handshake, which can throw unverifiedSocket.startHandshake(); } diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java index c20a0b9..9f288af 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java @@ -108,9 +108,6 @@ public class CipherSuite { static final byte[] CODE_SSL_NULL_WITH_NULL_NULL = { 0x00, 0x00 }; static final byte[] CODE_SSL_RSA_WITH_NULL_MD5 = { 0x00, 0x01 }; static final byte[] CODE_SSL_RSA_WITH_NULL_SHA = { 0x00, 0x02 }; - static final byte[] CODE_SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00, 0x03 }; - static final byte[] CODE_SSL_RSA_WITH_RC4_128_MD5 = { 0x00, 0x04 }; - static final byte[] CODE_SSL_RSA_WITH_RC4_128_SHA = { 0x00, 0x05 }; static final byte[] CODE_SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00, 0x06 }; // BEGIN android-removed // static final byte[] CODE_TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00, 0x07 }; @@ -132,8 +129,6 @@ public class CipherSuite { static final byte[] CODE_SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00, 0x14 }; static final byte[] CODE_SSL_DHE_RSA_WITH_DES_CBC_SHA = { 0x00, 0x15 }; static final byte[] CODE_SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x16 }; - static final byte[] CODE_SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00, 0x17 }; - static final byte[] CODE_SSL_DH_anon_WITH_RC4_128_MD5 = { 0x00, 0x18 }; static final byte[] CODE_SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00, 0x19 }; static final byte[] CODE_SSL_DH_anon_WITH_DES_CBC_SHA = { 0x00, 0x1A }; static final byte[] CODE_SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x1B }; @@ -154,27 +149,27 @@ public class CipherSuite { // EC Cipher Suites from RFC 4492 - http://www.ietf.org/rfc/rfc4492.txt static final byte[] CODE_TLS_ECDH_ECDSA_WITH_NULL_SHA = { (byte) 0xc0, 0x01}; - static final byte[] CODE_TLS_ECDH_ECDSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x02}; + //static final byte[] CODE_TLS_ECDH_ECDSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x02}; static final byte[] CODE_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = { (byte) 0xc0, 0x03}; static final byte[] CODE_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = { (byte) 0xc0, 0x04}; static final byte[] CODE_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = { (byte) 0xc0, 0x05}; static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_NULL_SHA = { (byte) 0xc0, 0x06}; - static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x07}; + //static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x07}; static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = { (byte) 0xc0, 0x08}; static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = { (byte) 0xc0, 0x09}; static final byte[] CODE_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = { (byte) 0xc0, 0x0A}; static final byte[] CODE_TLS_ECDH_RSA_WITH_NULL_SHA = { (byte) 0xc0, 0x0B}; - static final byte[] CODE_TLS_ECDH_RSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x0C}; + //static final byte[] CODE_TLS_ECDH_RSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x0C}; static final byte[] CODE_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = { (byte) 0xc0, 0x0D}; static final byte[] CODE_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = { (byte) 0xc0, 0x0E}; static final byte[] CODE_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = { (byte) 0xc0, 0x0F}; static final byte[] CODE_TLS_ECDHE_RSA_WITH_NULL_SHA = { (byte) 0xc0, 0x10}; - static final byte[] CODE_TLS_ECDHE_RSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x11}; + //static final byte[] CODE_TLS_ECDHE_RSA_WITH_RC4_128_SHA = { (byte) 0xc0, 0x11}; static final byte[] CODE_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = { (byte) 0xc0, 0x12}; static final byte[] CODE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = { (byte) 0xc0, 0x13}; static final byte[] CODE_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = { (byte) 0xc0, 0x14}; static final byte[] CODE_TLS_ECDH_anon_WITH_NULL_SHA = { (byte) 0xc0, 0x15}; - static final byte[] CODE_TLS_ECDH_anon_WITH_RC4_128_SHA = { (byte) 0xc0, 0x16}; + //static final byte[] CODE_TLS_ECDH_anon_WITH_RC4_128_SHA = { (byte) 0xc0, 0x16}; static final byte[] CODE_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = { (byte) 0xc0, 0x17}; static final byte[] CODE_TLS_ECDH_anon_WITH_AES_128_CBC_SHA = { (byte) 0xc0, 0x18}; static final byte[] CODE_TLS_ECDH_anon_WITH_AES_256_CBC_SHA = { (byte) 0xc0, 0x19}; @@ -191,18 +186,6 @@ public class CipherSuite { "SSL_RSA_WITH_NULL_SHA", true, KEY_EXCHANGE_RSA, "RSA", null, "SHA", CODE_SSL_RSA_WITH_NULL_SHA); - static final CipherSuite SSL_RSA_EXPORT_WITH_RC4_40_MD5 = new CipherSuite( - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", true, KEY_EXCHANGE_RSA_EXPORT, - "RSA", "RC4_40", "MD5", CODE_SSL_RSA_EXPORT_WITH_RC4_40_MD5); - - static final CipherSuite SSL_RSA_WITH_RC4_128_MD5 = new CipherSuite( - "SSL_RSA_WITH_RC4_128_MD5", false, KEY_EXCHANGE_RSA, "RSA", "RC4_128", - "MD5", CODE_SSL_RSA_WITH_RC4_128_MD5); - - static final CipherSuite SSL_RSA_WITH_RC4_128_SHA = new CipherSuite( - "SSL_RSA_WITH_RC4_128_SHA", false, KEY_EXCHANGE_RSA, "RSA", "RC4_128", - "SHA", CODE_SSL_RSA_WITH_RC4_128_SHA); - static final CipherSuite SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = new CipherSuite( "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", true, KEY_EXCHANGE_RSA_EXPORT, "RSA", "RC2_CBC_40", "MD5", CODE_SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5); @@ -279,15 +262,6 @@ public class CipherSuite { "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", false, KEY_EXCHANGE_DHE_RSA, "RSA", "3DES_EDE_CBC", "SHA", CODE_SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA); - static final CipherSuite SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = new CipherSuite( - "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", true, - KEY_EXCHANGE_DH_anon_EXPORT, "DH", "RC4_40", "MD5", - CODE_SSL_DH_anon_EXPORT_WITH_RC4_40_MD5); - - static final CipherSuite SSL_DH_anon_WITH_RC4_128_MD5 = new CipherSuite( - "SSL_DH_anon_WITH_RC4_128_MD5", false, KEY_EXCHANGE_DH_anon, - "DH", "RC4_128", "MD5", CODE_SSL_DH_anon_WITH_RC4_128_MD5); - static final CipherSuite SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = new CipherSuite( "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", true, KEY_EXCHANGE_DH_anon_EXPORT, "DH", "DES40_CBC", "SHA", @@ -374,14 +348,6 @@ public class CipherSuite { null, "SHA", CODE_TLS_ECDH_ECDSA_WITH_NULL_SHA); - static final CipherSuite TLS_ECDH_ECDSA_WITH_RC4_128_SHA - = new CipherSuite("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - false, - KEY_EXCHANGE_ECDH_ECDSA, - "EC", - "RC4_128", - "SHA", - CODE_TLS_ECDH_ECDSA_WITH_RC4_128_SHA); static final CipherSuite TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = new CipherSuite("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", false, @@ -414,14 +380,6 @@ public class CipherSuite { null, "SHA", CODE_TLS_ECDHE_ECDSA_WITH_NULL_SHA); - static final CipherSuite TLS_ECDHE_ECDSA_WITH_RC4_128_SHA - = new CipherSuite("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - false, - KEY_EXCHANGE_ECDHE_ECDSA, - "EC", - "RC4_128", - "SHA", - CODE_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA); static final CipherSuite TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = new CipherSuite("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", false, @@ -454,14 +412,6 @@ public class CipherSuite { null, "SHA", CODE_TLS_ECDH_RSA_WITH_NULL_SHA); - static final CipherSuite TLS_ECDH_RSA_WITH_RC4_128_SHA - = new CipherSuite("TLS_ECDH_RSA_WITH_RC4_128_SHA", - false, - KEY_EXCHANGE_ECDH_RSA, - "EC", - "RC4_128", - "SHA", - CODE_TLS_ECDH_RSA_WITH_RC4_128_SHA); static final CipherSuite TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = new CipherSuite("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", false, @@ -494,14 +444,6 @@ public class CipherSuite { null, "SHA", CODE_TLS_ECDHE_RSA_WITH_NULL_SHA); - static final CipherSuite TLS_ECDHE_RSA_WITH_RC4_128_SHA - = new CipherSuite("TLS_ECDHE_RSA_WITH_RC4_128_SHA", - false, - KEY_EXCHANGE_ECDHE_RSA, - "EC", - "RC4_128", - "SHA", - CODE_TLS_ECDHE_RSA_WITH_RC4_128_SHA); static final CipherSuite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = new CipherSuite("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", false, @@ -534,14 +476,6 @@ public class CipherSuite { null, "SHA", CODE_TLS_ECDH_anon_WITH_NULL_SHA); - static final CipherSuite TLS_ECDH_anon_WITH_RC4_128_SHA - = new CipherSuite("TLS_ECDH_anon_WITH_RC4_128_SHA", - false, - KEY_EXCHANGE_ECDH_anon, - "EC", - "RC4_128", - "SHA", - CODE_TLS_ECDH_anon_WITH_RC4_128_SHA); static final CipherSuite TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = new CipherSuite("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", false, @@ -573,9 +507,6 @@ public class CipherSuite { SSL_NULL_WITH_NULL_NULL, // { 0x00, 0x00 }; SSL_RSA_WITH_NULL_MD5, // { 0x00, 0x01 }; SSL_RSA_WITH_NULL_SHA, // { 0x00, 0x02 }; - SSL_RSA_EXPORT_WITH_RC4_40_MD5, // { 0x00, 0x03 }; - SSL_RSA_WITH_RC4_128_MD5, // { 0x00, 0x04 }; - SSL_RSA_WITH_RC4_128_SHA, // { 0x00, 0x05 }; // BEGIN android-changed null, // SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, // { 0x00, 0x06 }; null, // TLS_RSA_WITH_IDEA_CBC_SHA, // { 0x00, 0x07 }; @@ -597,8 +528,6 @@ public class CipherSuite { SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, // { 0x00, 0x14 }; SSL_DHE_RSA_WITH_DES_CBC_SHA, // { 0x00, 0x15 }; SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, // { 0x00, 0x16 }; - SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, // { 0x00, 0x17 }; - SSL_DH_anon_WITH_RC4_128_MD5, // { 0x00, 0x18 }; SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, // { 0x00, 0x19 }; SSL_DH_anon_WITH_DES_CBC_SHA, // { 0x00, 0x1A }; SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, // { 0x00, 0x1B }; @@ -607,18 +536,14 @@ public class CipherSuite { null, // SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA // { 0x00, 0x1D }; null, // TLS_KRB5_WITH_DES_CBC_SHA // { 0x00, 0x1E }; null, // TLS_KRB5_WITH_3DES_EDE_CBC_SHA // { 0x00, 0x1F }; - null, // TLS_KRB5_WITH_RC4_128_SHA // { 0x00, 0x20 }; null, // TLS_KRB5_WITH_IDEA_CBC_SHA // { 0x00, 0x21 }; null, // TLS_KRB5_WITH_DES_CBC_MD5 // { 0x00, 0x22 }; null, // TLS_KRB5_WITH_3DES_EDE_CBC_MD5 // { 0x00, 0x23 }; - null, // TLS_KRB5_WITH_RC4_128_MD5 // { 0x00, 0x24 }; null, // TLS_KRB5_WITH_IDEA_CBC_MD5 // { 0x00, 0x25 }; null, // TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA // { 0x00, 0x26 }; null, // TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA // { 0x00, 0x27 }; - null, // TLS_KRB5_EXPORT_WITH_RC4_40_SHA // { 0x00, 0x28 }; null, // TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 // { 0x00, 0x29 }; null, // TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 // { 0x00, 0x2A }; - null, // TLS_KRB5_EXPORT_WITH_RC4_40_MD5 // { 0x00, 0x2B }; null, // TLS_PSK_WITH_NULL_SHA // { 0x00, 0x2C }; null, // TLS_DHE_PSK_WITH_NULL_SHA // { 0x00, 0x2D }; null, // TLS_RSA_PSK_WITH_NULL_SHA // { 0x00, 0x2E }; @@ -639,27 +564,22 @@ public class CipherSuite { private static final CipherSuite[] SUITES_BY_CODE_0xc0 = { null, // { 0xc0, 0x00}; TLS_ECDH_ECDSA_WITH_NULL_SHA, // { 0xc0, 0x01}; - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, // { 0xc0, 0x02}; TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, // { 0xc0, 0x03}; TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, // { 0xc0, 0x04}; TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, // { 0xc0, 0x05}; TLS_ECDHE_ECDSA_WITH_NULL_SHA, // { 0xc0, 0x06}; - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, // { 0xc0, 0x07}; TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, // { 0xc0, 0x08}; TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, // { 0xc0, 0x09}; TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, // { 0xc0, 0x0A}; TLS_ECDH_RSA_WITH_NULL_SHA, // { 0xc0, 0x0B}; - TLS_ECDH_RSA_WITH_RC4_128_SHA, // { 0xc0, 0x0C}; TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, // { 0xc0, 0x0D}; TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, // { 0xc0, 0x0E}; TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, // { 0xc0, 0x0F}; TLS_ECDHE_RSA_WITH_NULL_SHA, // { 0xc0, 0x10}; - TLS_ECDHE_RSA_WITH_RC4_128_SHA, // { 0xc0, 0x11}; TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // { 0xc0, 0x12}; TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // { 0xc0, 0x13}; TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, // { 0xc0, 0x14}; TLS_ECDH_anon_WITH_NULL_SHA, // { 0xc0, 0x15}; - TLS_ECDH_anon_WITH_RC4_128_SHA, // { 0xc0, 0x16}; TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, // { 0xc0, 0x17}; TLS_ECDH_anon_WITH_AES_128_CBC_SHA, // { 0xc0, 0x18}; TLS_ECDH_anon_WITH_AES_256_CBC_SHA, // { 0xc0, 0x19}; @@ -731,8 +651,6 @@ public class CipherSuite { registerSupportedCipherSuites(count_0x00, SUITES_BY_CODE_0xc0); CipherSuite[] defaultCipherSuites = { - SSL_RSA_WITH_RC4_128_MD5, - SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, @@ -742,7 +660,6 @@ public class CipherSuite { SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, - SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java index d9b7659..586b590 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java @@ -108,9 +108,9 @@ public final class JSSEProvider extends Provider { super("HarmonyJSSE", 1.0, "Harmony JSSE Provider"); put("SSLContext.SSL", SSLContextImpl.class.getName()); - put("SSLContext.SSLv3", SSLContextImpl.class.getName()); put("SSLContext.TLS", SSLContextImpl.class.getName()); put("SSLContext.TLSv1", SSLContextImpl.class.getName()); + put("SSLContext.TLSv1_2", SSLContextImpl.class.getName()); put("KeyManagerFactory.X509", KeyManagerFactoryImpl.class.getName()); put("TrustManagerFactory.X509", TrustManagerFactoryImpl.class.getName()); diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java index 65373ff..f1c6e7b 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java @@ -252,20 +252,14 @@ public final class NativeCrypto { static { // Note these are added in priority order - add("SSL_RSA_WITH_RC4_128_MD5", "RC4-MD5"); - add("SSL_RSA_WITH_RC4_128_SHA", "RC4-SHA"); add("TLS_RSA_WITH_AES_128_CBC_SHA", "AES128-SHA"); add("TLS_RSA_WITH_AES_256_CBC_SHA", "AES256-SHA"); - add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "ECDH-ECDSA-RC4-SHA"); add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "ECDH-ECDSA-AES128-SHA"); add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "ECDH-ECDSA-AES256-SHA"); - add("TLS_ECDH_RSA_WITH_RC4_128_SHA", "ECDH-RSA-RC4-SHA"); add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "ECDH-RSA-AES128-SHA"); add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "ECDH-RSA-AES256-SHA"); - add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "ECDHE-ECDSA-RC4-SHA"); add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "ECDHE-ECDSA-AES128-SHA"); add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "ECDHE-ECDSA-AES256-SHA"); - add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-RC4-SHA"); add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "ECDHE-RSA-AES128-SHA"); add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "ECDHE-RSA-AES256-SHA"); add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "DHE-RSA-AES128-SHA"); @@ -297,7 +291,6 @@ public final class NativeCrypto { add("TLS_DH_anon_WITH_AES_256_CBC_SHA", "ADH-AES256-SHA"); add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "ADH-DES-CBC3-SHA"); add("SSL_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA"); - add("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA"); add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "AECDH-AES128-SHA"); add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "AECDH-AES256-SHA"); add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "AECDH-DES-CBC3-SHA"); @@ -374,20 +367,14 @@ public final class NativeCrypto { public static String[] getDefaultCipherSuites() { return new String[] { - "SSL_RSA_WITH_RC4_128_MD5", - "SSL_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", @@ -463,14 +450,14 @@ public final class NativeCrypto { public static native long SSL_clear_options(int ssl, long options); public static String[] getDefaultProtocols() { - return new String[] { SUPPORTED_PROTOCOL_SSLV3, - SUPPORTED_PROTOCOL_TLSV1, + return new String[] { SUPPORTED_PROTOCOL_TLSV1, + SUPPORTED_PROTOCOL_TLSV1_1, + SUPPORTED_PROTOCOL_TLSV1_2, }; } public static String[] getSupportedProtocols() { - return new String[] { SUPPORTED_PROTOCOL_SSLV3, - SUPPORTED_PROTOCOL_TLSV1, + return new String[] { SUPPORTED_PROTOCOL_TLSV1, SUPPORTED_PROTOCOL_TLSV1_1, SUPPORTED_PROTOCOL_TLSV1_2, }; diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ProtocolVersion.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ProtocolVersion.java index 230f9fe..b99e299 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ProtocolVersion.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ProtocolVersion.java @@ -27,7 +27,8 @@ public class ProtocolVersion { * Protocols supported by this provider implementation */ public static final String[] supportedProtocols = new String[] { "TLSv1", - "SSLv3" }; + "TLSv1.1", + "TLSv1.2" }; private static Hashtable<String, ProtocolVersion> protocolsByName = new Hashtable<String, ProtocolVersion>(4); @@ -38,7 +39,7 @@ public class ProtocolVersion { * @param version */ public static boolean isSupported(byte[] version) { - if (version[0] != 3 || (version[1] != 0 && version[1] != 1)) { + if (version[0] != 1 || (version[1] != 0 && version[1] != 1) || (version[2] != 0 && version[2] != 2)) { return false; } return true; @@ -51,12 +52,15 @@ public class ProtocolVersion { * @return */ public static ProtocolVersion getByVersion(byte[] version) { - if (version[0] == 3) { - if (version[1] == 1) { + if (version[0] == 1) { + if (version[1] == 0 && version[2] == 0) { return TLSv1; } - if (version[1] == 0) { - return SSLv3; + if (version[1] == 1 && version[2] == 0) { + return TLSv1_1; + } + if (version[2] == 2) { + return TLSv1_2; } } return null; @@ -110,22 +114,29 @@ public class ProtocolVersion { } /** - * SSL 3.0 protocol version + * TLS 1.0 protocol version */ - public static final ProtocolVersion SSLv3 = new ProtocolVersion("SSLv3", - new byte[] { 3, 0 }); + public static final ProtocolVersion TLSv1 = new ProtocolVersion("TLSv1", + new byte[] { 1, 0, 0 }); + /** + * TLS 1.1 protocol version + */ + public static final ProtocolVersion TLSv1_1 = new ProtocolVersion("TLSv1.1", + new byte[] { 1, 1, 0 }); /** - * TLS 1.0 protocol version + * TLS 1.2 protocol version */ - public static final ProtocolVersion TLSv1 = new ProtocolVersion("TLSv1", - new byte[] { 3, 1 }); + public static final ProtocolVersion TLSv1_2 = new ProtocolVersion("TLSv1.2", + new byte[] { 1, 1, 2 }); static { - protocolsByName.put(SSLv3.name, SSLv3); protocolsByName.put(TLSv1.name, TLSv1); - protocolsByName.put("SSL", SSLv3); - protocolsByName.put("TLS", TLSv1); + protocolsByName.put(TLSv1_1.name, TLSv1_1); + protocolsByName.put(TLSv1_2.name, TLSv1_2); + protocolsByName.put("TLS", TLSv1); + protocolsByName.put("TLSv1.1", TLSv1_1); + protocolsByName.put("TLSv1.2", TLSv1_2); } /** @@ -142,4 +153,4 @@ public class ProtocolVersion { this.name = name; this.version = version; } -}
\ No newline at end of file +} diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java index fa8d291..2fddcf8 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java @@ -334,8 +334,8 @@ public class ServerHandshakeImpl extends HandshakeProtocol { byte[] server_version = clientHello.client_version; if (!ProtocolVersion.isSupported(clientHello.client_version)) { if (clientHello.client_version[0] >= 3) { - // Protocol from the future, admit that the newest thing we know is TLSv1 - server_version = ProtocolVersion.TLSv1.version; + // Protocol from the future, admit that the newest thing we know is TLSv1.2 + server_version = ProtocolVersion.TLSv1_2.version; } else { fatalAlert(AlertProtocol.PROTOCOL_VERSION, "PROTOCOL VERSION. Unsupported client version " |