TLSSocketFactory used for versions below Android 5.0 (API Level 21)



  • ... to enable protocols TLSv1.2 and TLSv1.1 (except for Android 4.0, API Level 15)

    Bugfix for issue https://github.com/bitfireAT/cadroid/issues/14


  • developer

    Thanks, I hope I can release a new version soon.



  • could you test it?


  • developer

    Thanks for the code. I have re-worked it somehow:

    1. The order of protocols and cipher suites is not taken into account by SSLSocketFactory. I haven't found this in the docs, so I have tried it myself and it doesn't matter in which order the enabled protocols/cipher suites are set. Even if you call getEnabledCipherSuites() immediatly after setEnabledCipherSuites(), the underlying system has already changed the order.
    2. SSLv3 has been disabled as it shouldn't be used anymore.
    3. Why did you only use two cipher suites? I have now taken the cipher suites from DAVdroid (which are from a recent NIST recommendation), and they will be enabled in addition to all the cipher suites which are enabled by default for maximum compatibility.

  • developer

    How shall I mention your code in the license? Currently, the license and author is only shown in the README.md and the main activity, as far as I remember.



  • hey, thank you for your review.

    1. i also recognized that the order of the cipher suites does not matter for real.
    2. TLSv1.0 and TLSv1.1 should also not be used, but i think no possible protocol / cipher suite should be disabled, if not needed. the server admin should have the freedom to decide about the needed security level.
    3. i have not used only 2 cipher suites, i just put 2 of them at the start of the enabled suites (ordering because of preferences). all other supported suites have been listed afterwards.
    4. decide it by your own. the code was provided for the project CAdroid, so it should be the same license.

Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.