Drop insecure TLS protocol version fallback
This CL changes HttpsURLConnection, through HttpsHandler, to no
longer perform insecure TLS protocol version fallbacks. The
remaining ConnectionSpec is also changed such that enabled TLS
protocols are no longer hard coded; instead, it now allows all
protocols that are enabled in the underlying SSLSocketFactory.
Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases
Bug: 30185435
Bug: 30694151
Change-Id: Ib317f19cfa97fe2571870e7fe7a80ec024e69b87
diff --git a/android/main/java/com/squareup/okhttp/HttpsHandler.java b/android/main/java/com/squareup/okhttp/HttpsHandler.java
index ca5048b..3915df1 100644
--- a/android/main/java/com/squareup/okhttp/HttpsHandler.java
+++ b/android/main/java/com/squareup/okhttp/HttpsHandler.java
@@ -18,7 +18,7 @@
package com.squareup.okhttp;
import java.net.Proxy;
-import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import javax.net.ssl.HttpsURLConnection;
@@ -26,40 +26,20 @@
public final class HttpsHandler extends HttpHandler {
/**
- * The initial connection spec to use when connecting to an https:// server, and the prototype
- * for the others below. Note that Android does not set the cipher suites to use so the socket's
- * defaults enabled cipher suites will be used instead. When the SSLSocketFactory is provided by
- * the app or GMS core we will not override the enabled ciphers set on the sockets it produces
- * with a list hardcoded at release time. This is deliberate.
- * For the TLS versions we <em>will</em> select a known subset from the set of enabled TLS
- * versions on the socket.
+ * The connection spec to use when connecting to an https:// server. Note that Android does
+ * not set the cipher suites or TLS versions to use so the socket's defaults will be used
+ * instead. When the SSLSocketFactory is provided by the app or GMS core we will not
+ * override the enabled ciphers or TLS versions set on the sockets it produces with a
+ * list hardcoded at release time. This is deliberate.
*/
- private static final ConnectionSpec TLS_1_2_AND_BELOW = new ConnectionSpec.Builder(true)
- .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
- .supportsTlsExtensions(true)
- .build();
-
- private static final ConnectionSpec TLS_1_1_AND_BELOW =
- new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
- .tlsVersions(TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+ private static final ConnectionSpec TLS_CONNECTION_SPEC = new ConnectionSpec.Builder(true)
+ .allEnabledCipherSuites()
+ .allEnabledTlsVersions()
.supportsTlsExtensions(true)
.build();
- private static final ConnectionSpec TLS_1_0_AND_BELOW =
- new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
- .tlsVersions(TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
- .build();
-
- private static final ConnectionSpec SSL_3_0 =
- new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
- .tlsVersions(TlsVersion.SSL_3_0)
- .build();
-
- /** Try up to 4 times to negotiate a connection with each server. */
- private static final List<ConnectionSpec> SECURE_CONNECTION_SPECS =
- Arrays.asList(TLS_1_2_AND_BELOW, TLS_1_1_AND_BELOW, TLS_1_0_AND_BELOW, SSL_3_0);
-
- private static final List<Protocol> HTTP_1_1_ONLY = Arrays.asList(Protocol.HTTP_1_1);
+ private static final List<Protocol> HTTP_1_1_ONLY =
+ Collections.singletonList(Protocol.HTTP_1_1);
private final ConfigAwareConnectionPool configAwareConnectionPool =
ConfigAwareConnectionPool.getInstance();
@@ -95,8 +75,7 @@
// Only enable HTTP/1.1 (implies HTTP/1.0). Disable SPDY / HTTP/2.0.
okHttpClient.setProtocols(HTTP_1_1_ONLY);
- // Use Android's preferred fallback approach and cipher suite selection.
- okHttpClient.setConnectionSpecs(SECURE_CONNECTION_SPECS);
+ okHttpClient.setConnectionSpecs(Collections.singletonList(TLS_CONNECTION_SPEC));
// Android support certificate pinning via NetworkSecurityConfig so there is no need to
// also expose OkHttp's mechanism. The OkHttpClient underlying https HttpsURLConnections