Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
| 3 | * contributor license agreements. See the NOTICE file distributed with |
| 4 | * this work for additional information regarding copyright ownership. |
| 5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
| 6 | * (the "License"); you may not use this file except in compliance with |
| 7 | * the License. You may obtain a copy of the License at |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
Tobias Thierer | fd27541 | 2017-04-11 21:01:50 +0100 | [diff] [blame] | 18 | package libcore.net.http; |
| 19 | |
| 20 | import com.squareup.okhttp.CertificatePinner; |
| 21 | import com.squareup.okhttp.ConnectionSpec; |
| 22 | import com.squareup.okhttp.ConnectionSpecs; |
| 23 | import com.squareup.okhttp.OkHttpClient; |
| 24 | import com.squareup.okhttp.OkUrlFactories; |
| 25 | import com.squareup.okhttp.OkUrlFactory; |
| 26 | import com.squareup.okhttp.Protocol; |
Tobias Thierer | 08635e6 | 2017-08-29 19:34:12 +0100 | [diff] [blame^] | 27 | import com.squareup.okhttp.ConfigAwareConnectionPool; |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 28 | |
| 29 | import java.net.Proxy; |
Tobias Thierer | d9a7a71 | 2016-10-17 17:51:32 +0100 | [diff] [blame] | 30 | import java.util.Collections; |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 31 | import java.util.List; |
| 32 | |
| 33 | import javax.net.ssl.HttpsURLConnection; |
| 34 | |
| 35 | public final class HttpsHandler extends HttpHandler { |
| 36 | |
| 37 | /** |
Tobias Thierer | d9a7a71 | 2016-10-17 17:51:32 +0100 | [diff] [blame] | 38 | * The connection spec to use when connecting to an https:// server. Note that Android does |
| 39 | * not set the cipher suites or TLS versions to use so the socket's defaults will be used |
| 40 | * instead. When the SSLSocketFactory is provided by the app or GMS core we will not |
| 41 | * override the enabled ciphers or TLS versions set on the sockets it produces with a |
| 42 | * list hardcoded at release time. This is deliberate. |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 43 | */ |
Tobias Thierer | fd27541 | 2017-04-11 21:01:50 +0100 | [diff] [blame] | 44 | private static final ConnectionSpec TLS_CONNECTION_SPEC = ConnectionSpecs.builder(true) |
Tobias Thierer | d9a7a71 | 2016-10-17 17:51:32 +0100 | [diff] [blame] | 45 | .allEnabledCipherSuites() |
| 46 | .allEnabledTlsVersions() |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 47 | .supportsTlsExtensions(true) |
| 48 | .build(); |
| 49 | |
Tobias Thierer | d9a7a71 | 2016-10-17 17:51:32 +0100 | [diff] [blame] | 50 | private static final List<Protocol> HTTP_1_1_ONLY = |
| 51 | Collections.singletonList(Protocol.HTTP_1_1); |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 52 | |
| 53 | private final ConfigAwareConnectionPool configAwareConnectionPool = |
| 54 | ConfigAwareConnectionPool.getInstance(); |
| 55 | |
| 56 | @Override protected int getDefaultPort() { |
| 57 | return 443; |
| 58 | } |
| 59 | |
| 60 | @Override |
| 61 | protected OkUrlFactory newOkUrlFactory(Proxy proxy) { |
| 62 | OkUrlFactory okUrlFactory = createHttpsOkUrlFactory(proxy); |
| 63 | // For HttpsURLConnections created through java.net.URL Android uses a connection pool that |
| 64 | // is aware when the default network changes so that pooled connections are not re-used when |
| 65 | // the default network changes. |
| 66 | okUrlFactory.client().setConnectionPool(configAwareConnectionPool.get()); |
| 67 | return okUrlFactory; |
| 68 | } |
| 69 | |
| 70 | /** |
| 71 | * Creates an OkHttpClient suitable for creating {@link HttpsURLConnection} instances on |
| 72 | * Android. |
| 73 | */ |
| 74 | // Visible for android.net.Network. |
| 75 | public static OkUrlFactory createHttpsOkUrlFactory(Proxy proxy) { |
| 76 | // The HTTPS OkHttpClient is an HTTP OkHttpClient with extra configuration. |
| 77 | OkUrlFactory okUrlFactory = HttpHandler.createHttpOkUrlFactory(proxy); |
| 78 | |
| 79 | // All HTTPS requests are allowed. |
Tobias Thierer | fd27541 | 2017-04-11 21:01:50 +0100 | [diff] [blame] | 80 | OkUrlFactories.setUrlFilter(okUrlFactory, null); |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 81 | |
| 82 | OkHttpClient okHttpClient = okUrlFactory.client(); |
| 83 | |
| 84 | // Only enable HTTP/1.1 (implies HTTP/1.0). Disable SPDY / HTTP/2.0. |
| 85 | okHttpClient.setProtocols(HTTP_1_1_ONLY); |
| 86 | |
Tobias Thierer | d9a7a71 | 2016-10-17 17:51:32 +0100 | [diff] [blame] | 87 | okHttpClient.setConnectionSpecs(Collections.singletonList(TLS_CONNECTION_SPEC)); |
Tobias Thierer | 5be1851 | 2016-06-24 19:23:19 +0100 | [diff] [blame] | 88 | |
| 89 | // Android support certificate pinning via NetworkSecurityConfig so there is no need to |
| 90 | // also expose OkHttp's mechanism. The OkHttpClient underlying https HttpsURLConnections |
| 91 | // in Android should therefore always use the default certificate pinner, whose set of |
| 92 | // {@code hostNamesToPin} is empty. |
| 93 | okHttpClient.setCertificatePinner(CertificatePinner.DEFAULT); |
| 94 | |
| 95 | // OkHttp does not automatically honor the system-wide HostnameVerifier set with |
| 96 | // HttpsURLConnection.setDefaultHostnameVerifier(). |
| 97 | okUrlFactory.client().setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier()); |
| 98 | // OkHttp does not automatically honor the system-wide SSLSocketFactory set with |
| 99 | // HttpsURLConnection.setDefaultSSLSocketFactory(). |
| 100 | // See https://github.com/square/okhttp/issues/184 for details. |
| 101 | okHttpClient.setSslSocketFactory(HttpsURLConnection.getDefaultSSLSocketFactory()); |
| 102 | |
| 103 | return okUrlFactory; |
| 104 | } |
| 105 | } |