tree 096bbd6e58a842a3c4da61179c0f47f29259e6e8
parent e78f117bcbd6b57d783737107f445ef75ecb474a
author Neil Fuller <nfuller@google.com> 1421862479 +0000
committer Neil Fuller <nfuller@google.com> 1421921504 +0000

Tidy up HttpsHandler / HttpHandler and change defaults

OkHttp was recently upgraded in AOSP. This is a tidy
up change to correct some defaults and improve documentation
of Android settings.

Besides better docs this change mostly focuses on
ConnectionSpecs.

OkHttp now has a set of default ConnectionSpecs. ConnectionSpecs
control TLS version and cipher suite selection during connection
negotiations.

The defaults are not what we want on Android:

Historically, it looks like we don't want HttpsURLConnection
being redirected to http:// addresses, and HttpURLConnections
being redirected to https://. This means that we can
exclude any TLS-based ConnectionSpecs from HttpHandler, and
cleartext-based ConnectionSpecs from HttpsHandler making that
choice even more explicit.

TLS versions:

The upgrade effectively had a side-effect of disabling SSLv3
in all cases. On Android we disable SSLv3 in the default socket
factory (getEnabledProtocols()), but it is still supported on
the socket (getSupportedProtocols()).

In the L release, OkHttp would use the default TLS versions
for the initial connection and SSLv3 only for the fallback
(i.e. with the default socket factory it would turn it back on
for the fallback connection).

This change allows for applications that may need to use SSLv3.
SSLv3 will only be used if there is an installed socket factory
that enables it by default.

There should be a future change coming to upstream that will
further alter this behavior because OkHttp will still make
multiple attempts to connect when it knows it won't work.

Ciphers:

OkHttp is opinionated about the cipher suites to enable
on a socket. On Android, we want the SocketFactory to determine
the set of acceptable ciphers and we should just use the default
enabled set (because the default set may be better than the
set known when the device shipped, e.g. the socket factory may
come from GMS or installed by an app and therefore provide better
ciphers or disable ones that have found to be broken).

This change fixes two failing tests in
libcore.java.net.URLConnectionTest due to the TLS version
changes.

Change-Id: Iefc77746695b307a1222faf336d9d6452e974810