package eu.siacs.conversations.utils; import android.util.Log; import java.lang.reflect.Method; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import java.util.Collection; import java.util.LinkedList; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import eu.siacs.conversations.Config; import eu.siacs.conversations.entities.Account; public class SSLSocketHelper { public static void setSecurity(final SSLSocket sslSocket) { final String[] supportProtocols; final Collection supportedProtocols = new LinkedList<>( Arrays.asList(sslSocket.getSupportedProtocols())); supportedProtocols.remove("SSLv3"); supportProtocols = supportedProtocols.toArray(new String[supportedProtocols.size()]); sslSocket.setEnabledProtocols(supportProtocols); final String[] cipherSuites = CryptoHelper.getOrderedCipherSuites( sslSocket.getSupportedCipherSuites()); if (cipherSuites.length > 0) { sslSocket.setEnabledCipherSuites(cipherSuites); } } public static void setSNIHost(final SSLSocketFactory factory, final SSLSocket socket, final String hostname) { if (factory instanceof android.net.SSLCertificateSocketFactory) { ((android.net.SSLCertificateSocketFactory) factory).setHostname(socket, hostname); } } public static void setAlpnProtocol(final SSLSocketFactory factory, final SSLSocket socket, final String protocol) { try { if (factory instanceof android.net.SSLCertificateSocketFactory && android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.KITKAT) { // can't call directly because of @hide? //((android.net.SSLCertificateSocketFactory)factory).setAlpnProtocols(new byte[][]{protocol.getBytes("UTF-8")}); android.net.SSLCertificateSocketFactory.class.getMethod("setAlpnProtocols", byte[][].class).invoke(socket, new Object[]{new byte[][]{protocol.getBytes("UTF-8")}}); } else { final Method method = socket.getClass().getMethod("setAlpnProtocols", byte[].class); // the concatenation of 8-bit, length prefixed protocol names, just one in our case... // http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-4 final byte[] protocolUTF8Bytes = protocol.getBytes("UTF-8"); final byte[] lengthPrefixedProtocols = new byte[protocolUTF8Bytes.length + 1]; lengthPrefixedProtocols[0] = (byte) protocol.length(); // cannot be over 255 anyhow System.arraycopy(protocolUTF8Bytes, 0, lengthPrefixedProtocols, 1, protocolUTF8Bytes.length); method.invoke(socket, new Object[]{lengthPrefixedProtocols}); } } catch (Throwable e) { // ignore any error, we just can't set the alpn protocol... } } public static SSLContext getSSLContext() throws NoSuchAlgorithmException { return SSLContext.getInstance("TLSv1.3"); } public static void log(Account account, SSLSocket socket) { SSLSession session = socket.getSession(); Log.d(Config.LOGTAG,account.getJid().asBareJid()+": protocol="+session.getProtocol()+" cipher="+session.getCipherSuite()); } }