From 548a585b2c4af9b4c2a98faabb8855fcb260daf2 Mon Sep 17 00:00:00 2001
From: Sam Whited <sam@samwhited.com>
Date: Wed, 14 Jan 2015 12:20:02 -0500
Subject: Harden the TLS connection cipher suites

---
 .../siacs/conversations/http/HttpConnection.java   | 81 ++++++++++++----------
 1 file changed, 44 insertions(+), 37 deletions(-)

(limited to 'src/main/java/eu/siacs/conversations/http')

diff --git a/src/main/java/eu/siacs/conversations/http/HttpConnection.java b/src/main/java/eu/siacs/conversations/http/HttpConnection.java
index 8951de74..4bff5251 100644
--- a/src/main/java/eu/siacs/conversations/http/HttpConnection.java
+++ b/src/main/java/eu/siacs/conversations/http/HttpConnection.java
@@ -20,6 +20,7 @@ import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.X509TrustManager;
 
 import eu.siacs.conversations.Config;
@@ -90,7 +91,7 @@ public class HttpConnection implements Downloadable {
 			if (this.message.getEncryption() == Message.ENCRYPTION_OTR
 					&& this.file.getKey() == null) {
 				this.message.setEncryption(Message.ENCRYPTION_NONE);
-			}
+					}
 			checkFileSize(false);
 		} catch (MalformedURLException e) {
 			this.cancel();
@@ -124,33 +125,39 @@ public class HttpConnection implements Downloadable {
 		mXmppConnectionService.updateConversationUi();
 	}
 
-	private void setupTrustManager(HttpsURLConnection connection,
-								   boolean interactive) {
-		X509TrustManager trustManager;
-		HostnameVerifier hostnameVerifier;
+	private void setupTrustManager(final HttpsURLConnection connection,
+			final boolean interactive) {
+		final X509TrustManager trustManager;
+		final HostnameVerifier hostnameVerifier;
 		if (interactive) {
 			trustManager = mXmppConnectionService.getMemorizingTrustManager();
 			hostnameVerifier = mXmppConnectionService
-					.getMemorizingTrustManager().wrapHostnameVerifier(
-							new StrictHostnameVerifier());
+				.getMemorizingTrustManager().wrapHostnameVerifier(
+						new StrictHostnameVerifier());
 		} else {
 			trustManager = mXmppConnectionService.getMemorizingTrustManager()
-					.getNonInteractive();
+				.getNonInteractive();
 			hostnameVerifier = mXmppConnectionService
-					.getMemorizingTrustManager()
-					.wrapHostnameVerifierNonInteractive(
-							new StrictHostnameVerifier());
+				.getMemorizingTrustManager()
+				.wrapHostnameVerifierNonInteractive(
+						new StrictHostnameVerifier());
 		}
 		try {
-			SSLContext sc = SSLContext.getInstance("TLS");
+			final SSLContext sc = SSLContext.getInstance("TLS");
 			sc.init(null, new X509TrustManager[]{trustManager},
 					mXmppConnectionService.getRNG());
-			connection.setSSLSocketFactory(sc.getSocketFactory());
+
+			final SSLSocketFactory sf = sc.getSocketFactory();
+			final String[] cipherSuites = CryptoHelper.getSupportedCipherSuites(
+					sf.getSupportedCipherSuites());
+			if (cipherSuites.length > 0) {
+				sc.getDefaultSSLParameters().setCipherSuites(cipherSuites);
+
+			}
+
+			connection.setSSLSocketFactory(sf);
 			connection.setHostnameVerifier(hostnameVerifier);
-		} catch (KeyManagementException e) {
-			return;
-		} catch (NoSuchAlgorithmException e) {
-			return;
+		} catch (final KeyManagementException | NoSuchAlgorithmException ignored) {
 		}
 	}
 
@@ -188,24 +195,24 @@ public class HttpConnection implements Downloadable {
 		}
 
 		private long retrieveFileSize() throws IOException,
-				SSLHandshakeException {
-			changeStatus(STATUS_CHECKING);
-			HttpURLConnection connection = (HttpURLConnection) mUrl
-					.openConnection();
-			connection.setRequestMethod("HEAD");
-			if (connection instanceof HttpsURLConnection) {
-				setupTrustManager((HttpsURLConnection) connection, interactive);
-			}
-			connection.connect();
-			String contentLength = connection.getHeaderField("Content-Length");
-			if (contentLength == null) {
-				throw new IOException();
-			}
-			try {
-				return Long.parseLong(contentLength, 10);
-			} catch (NumberFormatException e) {
-				throw new IOException();
-			}
+						SSLHandshakeException {
+							changeStatus(STATUS_CHECKING);
+							HttpURLConnection connection = (HttpURLConnection) mUrl
+								.openConnection();
+							connection.setRequestMethod("HEAD");
+							if (connection instanceof HttpsURLConnection) {
+								setupTrustManager((HttpsURLConnection) connection, interactive);
+							}
+							connection.connect();
+							String contentLength = connection.getHeaderField("Content-Length");
+							if (contentLength == null) {
+								throw new IOException();
+							}
+							try {
+								return Long.parseLong(contentLength, 10);
+							} catch (NumberFormatException e) {
+								throw new IOException();
+							}
 		}
 
 	}
@@ -234,7 +241,7 @@ public class HttpConnection implements Downloadable {
 
 		private void download() throws SSLHandshakeException, IOException {
 			HttpURLConnection connection = (HttpURLConnection) mUrl
-					.openConnection();
+				.openConnection();
 			if (connection instanceof HttpsURLConnection) {
 				setupTrustManager((HttpsURLConnection) connection, interactive);
 			}
@@ -300,4 +307,4 @@ public class HttpConnection implements Downloadable {
 	public String getMimeType() {
 		return "";
 	}
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3