filter enabled cipher suites by availability

2024-12-26 01:28:50 -05:00 · 2013-10-20 10:22:53 +02:00 · 2013-10-20 10:22:53 +02:00 · dbc47c7297
commit dbc47c7297
parent d84ce6ddb9
1 changed files with 45 additions and 17 deletions
--- a/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java
+++ b/src/com/fsck/k9/mail/transport/TrustedSocketFactory.java
@ -16,27 +16,53 @@ import java.net.UnknownHostException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.util.*;

 public class TrustedSocketFactory implements LayeredSocketFactory {
    private SSLSocketFactory mSocketFactory;
    private org.apache.http.conn.ssl.SSLSocketFactory mSchemeSocketFactory;

-    protected static final String ENABLED_CIPHERS[] = {
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_RSA_WITH_AES_256_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_RC4_128_SHA",
-        "SSL_RSA_WITH_RC4_128_MD5",
-    };
+	protected static final String ENABLED_CIPHERS[];
+
+    static {
+        List<String> enabledCiphers = new ArrayList<String>();
+        try {
+            String preferredCiphers[] = {
+                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+                "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+                "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+                "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+                "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+                "TLS_RSA_WITH_AES_128_CBC_SHA",
+                "TLS_RSA_WITH_AES_256_CBC_SHA",
+                "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
+                "SSL_RSA_WITH_RC4_128_SHA",
+                "SSL_RSA_WITH_RC4_128_MD5",
+            };
+
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, null, new SecureRandom());
+            SSLSocketFactory sf = sslContext.getSocketFactory();
+            Set<String> supportedCiphers = new HashSet<String>();
+            Collections.addAll(supportedCiphers, sf.getSupportedCipherSuites());
+
+            for (String preferredCipher : preferredCiphers) {
+                if (supportedCiphers.contains(preferredCipher)) {
+                    enabledCiphers.add(preferredCipher);
+                }
+            }
+        } catch (KeyManagementException kme) {
+            kme.printStackTrace();
+        } catch (NoSuchAlgorithmException nsae) {
+            nsae.printStackTrace();
+        }
+        ENABLED_CIPHERS = enabledCiphers.isEmpty() ? null :
+            enabledCiphers.toArray(new String[enabledCiphers.size()]);
+    }

    protected static final String ENABLED_PROTOCOLS[] = {
        "TLSv1.2", "TLSv1.1", "TLSv1"
@ -68,7 +94,9 @@ public class TrustedSocketFactory implements LayeredSocketFactory {
    }

    public static void hardenSocket(SSLSocket sock) {
-        sock.setEnabledCipherSuites(ENABLED_CIPHERS);
+        if (ENABLED_CIPHERS != null) {
+            sock.setEnabledCipherSuites(ENABLED_CIPHERS);
+        }
        sock.setEnabledProtocols(ENABLED_PROTOCOLS);
    }