From beae854526ce1fc04d9aa1efe979099e5f13ce42 Mon Sep 17 00:00:00 2001 From: Andrew Stephan Date: Mon, 18 Jul 2016 15:42:30 -0400 Subject: [PATCH 1/4] updates to only allow tlsv1.1 and tlsv1.2 --- plugin.xml | 3 +- .../synconset/CordovaHTTP/HttpRequest.java | 4 +- .../CordovaHTTP/TLSSocketFactory.java | 63 +++++++++++++++++++ 3 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java diff --git a/plugin.xml b/plugin.xml index 06203f6..fc26d9c 100644 --- a/plugin.xml +++ b/plugin.xml @@ -2,7 +2,7 @@ + version="1.2.0"> SSL Pinning @@ -78,5 +78,6 @@ + diff --git a/src/android/com/synconset/CordovaHTTP/HttpRequest.java b/src/android/com/synconset/CordovaHTTP/HttpRequest.java index 78dce7a..d6ac37b 100644 --- a/src/android/com/synconset/CordovaHTTP/HttpRequest.java +++ b/src/android/com/synconset/CordovaHTTP/HttpRequest.java @@ -305,7 +305,7 @@ public class HttpRequest { try { SSLContext context = SSLContext.getInstance("TLS"); context.init(null, trustAllCerts, new SecureRandom()); - TRUSTED_FACTORY = context.getSocketFactory(); + TRUSTED_FACTORY = new TLSSocketFactory(context); } catch (GeneralSecurityException e) { IOException ioException = new IOException( "Security exception configuring SSL context"); @@ -455,7 +455,7 @@ public class HttpRequest { // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); - PINNED_FACTORY = sslContext.getSocketFactory(); + PINNED_FACTORY = new TLSSocketFactory(context); } /** diff --git a/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java b/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java new file mode 100644 index 0000000..b8806df --- /dev/null +++ b/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java @@ -0,0 +1,63 @@ +package com.github.kevinsawicki.http; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; + +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +public class TLSSocketFactory extends SSLSocketFactory { + + private SSLSocketFactory internalSSLSocketFactory; + + public TLSSocketFactory(SSLContext context) { + internalSSLSocketFactory = context.getSocketFactory(); + } + + @Override + public String[] getDefaultCipherSuites() { + return internalSSLSocketFactory.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return internalSSLSocketFactory.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port, autoClose)); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port)); + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port, localHost, localPort)); + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port)); + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { + return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort)); + } + + private Socket enableTLSOnSocket(Socket socket) { + if(socket != null && (socket instanceof SSLSocket)) { + ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"}); + } + return socket; + } +} \ No newline at end of file From 4c26dd793e306c5d1f1aca73bc86ee9da80c6578 Mon Sep 17 00:00:00 2001 From: Andrew Stephan Date: Mon, 18 Jul 2016 15:56:11 -0400 Subject: [PATCH 2/4] fixed var name --- src/android/com/synconset/CordovaHTTP/HttpRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/android/com/synconset/CordovaHTTP/HttpRequest.java b/src/android/com/synconset/CordovaHTTP/HttpRequest.java index d6ac37b..3bb642d 100644 --- a/src/android/com/synconset/CordovaHTTP/HttpRequest.java +++ b/src/android/com/synconset/CordovaHTTP/HttpRequest.java @@ -455,7 +455,7 @@ public class HttpRequest { // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); - PINNED_FACTORY = new TLSSocketFactory(context); + PINNED_FACTORY = new TLSSocketFactory(sslContext); } /** From 9a65da55c91ea3e84d4db691869f961bef7dccec Mon Sep 17 00:00:00 2001 From: Andrew Stephan Date: Wed, 20 Jul 2016 11:55:49 -0400 Subject: [PATCH 3/4] only use custom factory for API Levels < 20 --- .../com/synconset/CordovaHTTP/HttpRequest.java | 18 ++++++++++++++---- .../CordovaHTTP/TLSSocketFactory.java | 2 +- zedconfig.json | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/android/com/synconset/CordovaHTTP/HttpRequest.java b/src/android/com/synconset/CordovaHTTP/HttpRequest.java index 3bb642d..8016504 100644 --- a/src/android/com/synconset/CordovaHTTP/HttpRequest.java +++ b/src/android/com/synconset/CordovaHTTP/HttpRequest.java @@ -305,7 +305,12 @@ public class HttpRequest { try { SSLContext context = SSLContext.getInstance("TLS"); context.init(null, trustAllCerts, new SecureRandom()); - TRUSTED_FACTORY = new TLSSocketFactory(context); + + if (android.os.Build.VERSION.SDK_INT < 20) { + TRUSTED_FACTORY = new TLSSocketFactory(context); + } else { + TRUSTED_FACTORY = context.getSocketFactory(); + } } catch (GeneralSecurityException e) { IOException ioException = new IOException( "Security exception configuring SSL context"); @@ -436,7 +441,7 @@ public class HttpRequest { */ public static void addCert(Certificate ca) throws GeneralSecurityException, IOException { if (PINNED_CERTS == null) { - PINNED_CERTS = new ArrayList(); + PINNED_CERTS = new ArrayList(); } PINNED_CERTS.add(ca); String keyStoreType = KeyStore.getDefaultType(); @@ -444,7 +449,7 @@ public class HttpRequest { keyStore.load(null, null); for (int i = 0; i < PINNED_CERTS.size(); i++) { - keyStore.setCertificateEntry("CA" + i, PINNED_CERTS.get(i)); + keyStore.setCertificateEntry("CA" + i, PINNED_CERTS.get(i)); } // Create a TrustManager that trusts the CAs in our KeyStore @@ -455,7 +460,12 @@ public class HttpRequest { // Create an SSLContext that uses our TrustManager SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); - PINNED_FACTORY = new TLSSocketFactory(sslContext); + + if (android.os.Build.VERSION.SDK_INT < 20) { + PINNED_FACTORY = new TLSSocketFactory(sslContext); + } else { + PINNED_FACTORY = sslContext.getSocketFactory(); + } } /** diff --git a/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java b/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java index b8806df..8d3170f 100644 --- a/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java +++ b/src/android/com/synconset/CordovaHTTP/TLSSocketFactory.java @@ -56,7 +56,7 @@ public class TLSSocketFactory extends SSLSocketFactory { private Socket enableTLSOnSocket(Socket socket) { if(socket != null && (socket instanceof SSLSocket)) { - ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"}); + ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"}); } return socket; } diff --git a/zedconfig.json b/zedconfig.json index 3f52390..e6a16fa 100644 --- a/zedconfig.json +++ b/zedconfig.json @@ -1,6 +1,6 @@ { "preferences": { - "tabSize": 4, + "tabSize": 2, "wordWrap": true, "useSoftTabs": true, "gotoExclude": [] From 0e4624f627a1a9922158ea809cd0bdc09cf72fc6 Mon Sep 17 00:00:00 2001 From: Andrew Stephan Date: Wed, 20 Jul 2016 12:05:11 -0400 Subject: [PATCH 4/4] updated changelong --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a58602..9b848f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## v1.2.0 + +- Added support for TLSv1.1 and TLSv1.2 for android versions 4.1-4.4 (API levels 16-19) + +### Potentially Breaking Changes that really shouldn't matter because you shouldn't be using SSLv3 + +- Dropped SSLv3 support for all API Levels < 20. It will now only work on API Levels 20-22. + ## v1.1.0 - Fixed the body of errors not being returned in iOS