feat: #420 implement blacklist to disable unsafe SSL/TLS protocol versions on Android

2026-04-24 00:00:03 +08:00 · 2021-07-15 04:00:35 +02:00
parent 9d6005af29
commit bda4eedfb9
8 changed files with 69 additions and 22 deletions
@@ -104,9 +104,17 @@ const helpers = {

    return buffer;
  },
+  isTlsBlacklistSupported: function () {
+    if (window.cordova && window.cordova.platformId === 'android') {
+      return true;
+    }
+
+    return false;
+  }
 };

 const messageFactory = {
+  handshakeFailed: function() { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: Handshake failed' },
  sslTrustAnchor: function () { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.' },
  invalidCertificate: function (domain) { return 'The certificate for this server is invalid. You might be connecting to a server that is pretending to be “' + domain + '” which could put your confidential information at risk.' }
 }
@@ -1014,8 +1022,7 @@ const tests = [
    before: helpers.setRawSerializer,
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }

      var targetUrl = 'http://httpbin.org/post';
@@ -1036,8 +1043,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }
      var url = 'https://httpbin.org/drip?duration=2&numbytes=10&code=200';
      var options = { method: 'get', responseType: 'blob' };
@@ -1064,8 +1070,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }
      var sourceUrl = 'http://httpbin.org/xml';
      var targetPath = cordova.file.cacheDirectory + 'test.xml';
@@ -1097,8 +1102,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }


@@ -1148,6 +1152,21 @@ const tests = [
      }
    }
  },
+  {
+    description: 'should reject connecting to server with blacklisted SSL version #420',
+    expected: 'rejected: {"status":-2, ...',
+    func: function (resolve, reject, skip) {
+      if (!helpers.isTlsBlacklistSupported()) {
+        return skip();
+      }
+
+      cordova.plugin.http.get('https://tls-v1-0.badssl.com:1010/', {}, {}, resolve, reject);
+    },
+    validationFunc: function (driver, result) {
+      result.type.should.be.equal('rejected');
+      result.data.should.be.eql({ status: -2, error: messageFactory.handshakeFailed() });
+    }
+  },
 ];

 if (typeof module !== 'undefined' && module.exports) {