Possible fix to ECDH secp256r1-only cipher suite issue.

main
Vavassor 7 years ago
parent b7eb5b3271
commit 692dc0e527
  1. 3
      app/build.gradle
  2. 35
      app/src/main/java/com/keylesspalace/tusky/OkHttpUtils.java
  3. 1
      app/src/main/res/values/strings.xml

@ -19,6 +19,9 @@ android {
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
lintOptions {
disable 'MissingTranslation'
}
}
dependencies {

@ -49,10 +49,14 @@ class OkHttpUtils {
* ConnectionSpec.MODERN_TLS) and if that doesn't work falls back to the set of ALL enabled,
* then falls back to plain http.
*
* API level 24 has a regression in elliptic curves where it only supports secp256r1, so this
* first tries a fallback without elliptic curves at all, and then tries them after.
*
* TLS 1.1 and 1.2 have to be manually enabled on API levels 16-20.
*/
@NonNull
static OkHttpClient.Builder getCompatibleClientBuilder() {
ConnectionSpec fallback = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.allEnabledCipherSuites()
.supportsTlsExtensions(true)
@ -60,6 +64,7 @@ class OkHttpUtils {
List<ConnectionSpec> specList = new ArrayList<>();
specList.add(ConnectionSpec.MODERN_TLS);
addNougatFixConnectionSpec(specList);
specList.add(fallback);
specList.add(ConnectionSpec.CLEARTEXT);
@ -74,6 +79,36 @@ class OkHttpUtils {
return getCompatibleClientBuilder().build();
}
/**
* Android version Nougat has a regression where elliptic curve cipher suites are supported, but
* only the curve secp256r1 is allowed. So, first it's best to just disable all elliptic
* ciphers, try the connection, and fall back to the all cipher suites enabled list after.
*/
private static void addNougatFixConnectionSpec(List<ConnectionSpec> specList) {
if (Build.VERSION.SDK_INT != Build.VERSION_CODES.N) {
return;
}
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLS");
} catch (NoSuchAlgorithmException e) {
Log.e(TAG, "Failed obtaining TLS Context.");
return;
}
String[] cipherSuites = sslContext.getSocketFactory().getDefaultCipherSuites();
ArrayList<String> allowedList = new ArrayList<>();
for (String suite : cipherSuites) {
if (!suite.contains("ECDH")) {
allowedList.add(suite);
}
}
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.cipherSuites(allowedList.toArray(new String[0]))
.supportsTlsExtensions(true)
.build();
specList.add(spec);
}
private static OkHttpClient.Builder enableHigherTlsOnPreLollipop(OkHttpClient.Builder builder) {
if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22) {
try {

@ -20,7 +20,6 @@
<string name="title_notifications">Notifications</string>
<string name="title_public_local">Local</string>
<string name="title_public_federated">Federated</string>
<string name="title_compose">Compose</string>
<string name="title_thread">Thread</string>
<string name="title_tag">#%s</string>
<string name="title_statuses">Posts</string>

Loading…
Cancel
Save