From 37a313efb502a4cff87cae1dffd63ede98c9d69f Mon Sep 17 00:00:00 2001 From: Salvatore LaMendola Date: Fri, 29 May 2015 12:57:23 -0400 Subject: [PATCH 1/2] Disabling support for SSLv3 protocol/ciphers and all RC4 ciphers. --- .../mail/ssl/DefaultTrustedSocketFactory.java | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java b/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java index 62ae2ed70..cc631eac0 100644 --- a/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java +++ b/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java @@ -48,7 +48,6 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory { "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", @@ -56,14 +55,6 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory { "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_RC4_128_SHA", - "SSL_RSA_WITH_RC4_128_MD5", }; protected static final String[] BLACKLISTED_CIPHERS = { @@ -74,10 +65,19 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory { "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_ECDH_RSA_WITH_RC4_128_SHA", + "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_MD5", }; protected static final String ORDERED_KNOWN_PROTOCOLS[] = { - "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3" + "TLSv1.2", "TLSv1.1", "TLSv1" }; static { From f0962fdb6a12da0582565efd50b0e9d24bb92a0c Mon Sep 17 00:00:00 2001 From: Salvatore LaMendola Date: Mon, 1 Jun 2015 17:55:59 -0400 Subject: [PATCH 2/2] Create a protocols blacklist that should work in the same way as the ciphers one does. --- .../com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java b/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java index cc631eac0..7967d0dd3 100644 --- a/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java +++ b/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java @@ -80,6 +80,10 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory { "TLSv1.2", "TLSv1.1", "TLSv1" }; + protected static final String[] BLACKLISTED_PROTOCOLS = { + "SSLv3" + }; + static { String[] enabledCiphers = null; String[] supportedProtocols = null; @@ -106,7 +110,7 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory { reorder(enabledCiphers, ORDERED_KNOWN_CIPHERS, BLACKLISTED_CIPHERS); ENABLED_PROTOCOLS = (supportedProtocols == null) ? null : - reorder(supportedProtocols, ORDERED_KNOWN_PROTOCOLS, null); + reorder(supportedProtocols, ORDERED_KNOWN_PROTOCOLS, BLACKLISTED_PROTOCOLS); } public DefaultTrustedSocketFactory(Context context) {