From c4b9d428616ba3efcea00a88158f12922d876e42 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Thu, 16 Oct 2014 10:02:47 -0400 Subject: [PATCH 1/4] Enable all supported protocols including TLSv1.1 and 1.2 --- src/eu/siacs/conversations/xmpp/XmppConnection.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/eu/siacs/conversations/xmpp/XmppConnection.java b/src/eu/siacs/conversations/xmpp/XmppConnection.java index 43614f50..0162af9e 100644 --- a/src/eu/siacs/conversations/xmpp/XmppConnection.java +++ b/src/eu/siacs/conversations/xmpp/XmppConnection.java @@ -519,6 +519,7 @@ public class XmppConnection implements Runnable { SSLSocket sslSocket = (SSLSocket) factory.createSocket(socket, socket.getInetAddress().getHostAddress(), socket.getPort(), true); + sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols()); if (verifier != null && !verifier.verify(account.getServer(), From 113b7d17361a7da7ae08b0845011070e0c005fc5 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Sat, 18 Oct 2014 15:56:59 -0400 Subject: [PATCH 2/4] Remove support for legacy SSL --- src/eu/siacs/conversations/xmpp/XmppConnection.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/eu/siacs/conversations/xmpp/XmppConnection.java b/src/eu/siacs/conversations/xmpp/XmppConnection.java index 0162af9e..1ac6cb2b 100644 --- a/src/eu/siacs/conversations/xmpp/XmppConnection.java +++ b/src/eu/siacs/conversations/xmpp/XmppConnection.java @@ -10,6 +10,7 @@ import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.Hashtable; import java.util.List; @@ -519,7 +520,14 @@ public class XmppConnection implements Runnable { SSLSocket sslSocket = (SSLSocket) factory.createSocket(socket, socket.getInetAddress().getHostAddress(), socket.getPort(), true); - sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols()); + + // Support all protocols except legacy SSL. + // The min SDK version prevents us having to worry about SSLv2. In future, this may be + // true of SSLv3 as well. + final List supportedProtocols = new LinkedList(Arrays.asList( + sslSocket.getSupportedProtocols())); + supportedProtocols.remove("SSLv3"); + sslSocket.setEnabledProtocols(supportedProtocols.toArray(new String[supportedProtocols.size()])); if (verifier != null && !verifier.verify(account.getServer(), From 6c7c3ddf15aebaedbd4c62e7771bb7e378ebf4ad Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Sun, 19 Oct 2014 15:53:03 -0400 Subject: [PATCH 3/4] Add "Enable legacy SSL" preference --- res/values/strings.xml | 6 ++- res/xml/preferences.xml | 7 ++- .../conversations/xmpp/XmppConnection.java | 44 ++++++++++++++----- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/res/values/strings.xml b/res/values/strings.xml index 18eec00a..4351c118 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -249,8 +249,10 @@ Force end-to-end encryption Always send messages encrypted (except for conferences) Don’t save encrypted messages - Warning: This could lead to message loss - Expert options + Warning: This could lead to message loss + Enable legacy SSL + Enables SSLv3 support for legacy servers. Warning: SSLv3 is considered insecure. + Expert options Please be very careful with those Increase font size Use larger font sizes across the entire app diff --git a/res/xml/preferences.xml b/res/xml/preferences.xml index eccc8bae..7a61b81f 100644 --- a/res/xml/preferences.xml +++ b/res/xml/preferences.xml @@ -88,6 +88,11 @@ android:key="dont_save_encrypted" android:summary="@string/pref_dont_save_encrypted_summary" android:title="@string/pref_dont_save_encrypted" /> + - \ No newline at end of file + diff --git a/src/eu/siacs/conversations/xmpp/XmppConnection.java b/src/eu/siacs/conversations/xmpp/XmppConnection.java index 1ac6cb2b..43469f08 100644 --- a/src/eu/siacs/conversations/xmpp/XmppConnection.java +++ b/src/eu/siacs/conversations/xmpp/XmppConnection.java @@ -13,6 +13,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.Hashtable; +import java.util.LinkedList; import java.util.List; import java.util.Map.Entry; @@ -27,15 +28,19 @@ import org.xmlpull.v1.XmlPullParserException; import de.duenndns.ssl.MemorizingTrustManager; +import android.content.Context; +import android.content.SharedPreferences; import android.os.Bundle; import android.os.PowerManager; import android.os.PowerManager.WakeLock; import android.os.SystemClock; +import android.preference.PreferenceManager; import android.util.Log; import android.util.SparseArray; import eu.siacs.conversations.Config; import eu.siacs.conversations.entities.Account; import eu.siacs.conversations.services.XmppConnectionService; +import eu.siacs.conversations.ui.StartConversationActivity; import eu.siacs.conversations.utils.CryptoHelper; import eu.siacs.conversations.utils.DNSHelper; import eu.siacs.conversations.utils.zlib.ZLibOutputStream; @@ -105,6 +110,7 @@ public class XmppConnection implements Runnable { private OnBindListener bindListener = null; private OnMessageAcknowledged acknowledgedListener = null; private MemorizingTrustManager mMemorizingTrustManager; + private final Context applicationContext; public XmppConnection(Account account, XmppConnectionService service) { this.mRandom = service.getRNG(); @@ -113,6 +119,7 @@ public class XmppConnection implements Runnable { this.wakeLock = service.getPowerManager().newWakeLock( PowerManager.PARTIAL_WAKE_LOCK, account.getJid()); tagWriter = new TagWriter(); + applicationContext = service.getApplicationContext(); } protected void changeStatus(int nextStatus) { @@ -363,13 +370,13 @@ public class XmppConnection implements Runnable { iq.addChild("ping", "urn:xmpp:ping"); this.sendIqPacket(iq, new OnIqPacketReceived() { - @Override - public void onIqPacketReceived(Account account, IqPacket packet) { - Log.d(Config.LOGTAG, account.getJid() - + ": online with resource " + account.getResource()); - changeStatus(Account.STATUS_ONLINE); - } - }); + @Override + public void onIqPacketReceived(Account account, IqPacket packet) { + Log.d(Config.LOGTAG, account.getJid() + + ": online with resource " + account.getResource()); + changeStatus(Account.STATUS_ONLINE); + } + }); } private Element processPacket(Tag currentTag, int packetType) @@ -505,6 +512,14 @@ public class XmppConnection implements Runnable { tagWriter.writeTag(startTLS); } + private SharedPreferences getPreferences() { + return PreferenceManager.getDefaultSharedPreferences(applicationContext); + } + + private boolean enableLegacySSL() { + return getPreferences().getBoolean("enable_legacy_ssl", true); + } + private void switchOverToTls(Tag currentTag) throws XmlPullParserException, IOException { tagReader.readTag(); @@ -524,10 +539,17 @@ public class XmppConnection implements Runnable { // Support all protocols except legacy SSL. // The min SDK version prevents us having to worry about SSLv2. In future, this may be // true of SSLv3 as well. - final List supportedProtocols = new LinkedList(Arrays.asList( - sslSocket.getSupportedProtocols())); - supportedProtocols.remove("SSLv3"); - sslSocket.setEnabledProtocols(supportedProtocols.toArray(new String[supportedProtocols.size()])); + final String[] supportProtocols; + if (enableLegacySSL()) { + supportProtocols = sslSocket.getSupportedProtocols(); + } else { + final List supportedProtocols = new LinkedList(Arrays.asList( + sslSocket.getSupportedProtocols())); + supportedProtocols.remove("SSLv3"); + supportProtocols = new String[supportedProtocols.size()]; + supportedProtocols.toArray(supportProtocols); + } + sslSocket.setEnabledProtocols(supportProtocols); if (verifier != null && !verifier.verify(account.getServer(), From 99ee049115587b8d914d2df707d8bf152fdd42f6 Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Sun, 19 Oct 2014 16:11:35 -0400 Subject: [PATCH 4/4] Make legacy SSL option default to false --- res/xml/preferences.xml | 2 +- src/eu/siacs/conversations/xmpp/XmppConnection.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/res/xml/preferences.xml b/res/xml/preferences.xml index 7a61b81f..e4a527f6 100644 --- a/res/xml/preferences.xml +++ b/res/xml/preferences.xml @@ -89,7 +89,7 @@ android:summary="@string/pref_dont_save_encrypted_summary" android:title="@string/pref_dont_save_encrypted" /> diff --git a/src/eu/siacs/conversations/xmpp/XmppConnection.java b/src/eu/siacs/conversations/xmpp/XmppConnection.java index 43469f08..0ae51fb5 100644 --- a/src/eu/siacs/conversations/xmpp/XmppConnection.java +++ b/src/eu/siacs/conversations/xmpp/XmppConnection.java @@ -517,7 +517,7 @@ public class XmppConnection implements Runnable { } private boolean enableLegacySSL() { - return getPreferences().getBoolean("enable_legacy_ssl", true); + return getPreferences().getBoolean("enable_legacy_ssl", false); } private void switchOverToTls(Tag currentTag) throws XmlPullParserException,