From dbc47c7297b677636c7a242e386372f7f8236093 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20Veres-Szentkir=C3=A1lyi?= Date: Sun, 20 Oct 2013 10:22:53 +0200 Subject: [PATCH] filter enabled cipher suites by availability --- .../mail/transport/TrustedSocketFactory.java | 62 ++++++++++++++----- 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java b/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java index 264874fb9..9a4d3d585 100644 --- a/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java +++ b/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java @@ -16,27 +16,53 @@ import java.net.UnknownHostException; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; +import java.util.*; public class TrustedSocketFactory implements LayeredSocketFactory { private SSLSocketFactory mSocketFactory; private org.apache.http.conn.ssl.SSLSocketFactory mSchemeSocketFactory; - protected static final String ENABLED_CIPHERS[] = { - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_RC4_128_SHA", - "SSL_RSA_WITH_RC4_128_MD5", - }; + protected static final String ENABLED_CIPHERS[]; + + static { + List enabledCiphers = new ArrayList(); + try { + String preferredCiphers[] = { + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", + "SSL_RSA_WITH_RC4_128_SHA", + "SSL_RSA_WITH_RC4_128_MD5", + }; + + SSLContext sslContext = SSLContext.getInstance("TLS"); + sslContext.init(null, null, new SecureRandom()); + SSLSocketFactory sf = sslContext.getSocketFactory(); + Set supportedCiphers = new HashSet(); + Collections.addAll(supportedCiphers, sf.getSupportedCipherSuites()); + + for (String preferredCipher : preferredCiphers) { + if (supportedCiphers.contains(preferredCipher)) { + enabledCiphers.add(preferredCipher); + } + } + } catch (KeyManagementException kme) { + kme.printStackTrace(); + } catch (NoSuchAlgorithmException nsae) { + nsae.printStackTrace(); + } + ENABLED_CIPHERS = enabledCiphers.isEmpty() ? null : + enabledCiphers.toArray(new String[enabledCiphers.size()]); + } protected static final String ENABLED_PROTOCOLS[] = { "TLSv1.2", "TLSv1.1", "TLSv1" @@ -68,7 +94,9 @@ public class TrustedSocketFactory implements LayeredSocketFactory { } public static void hardenSocket(SSLSocket sock) { - sock.setEnabledCipherSuites(ENABLED_CIPHERS); + if (ENABLED_CIPHERS != null) { + sock.setEnabledCipherSuites(ENABLED_CIPHERS); + } sock.setEnabledProtocols(ENABLED_PROTOCOLS); }