diff options
| author | Miguel Aranda <miguelaranda@google.com> | 2024-04-10 12:45:18 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-04-10 12:45:18 +0000 |
| commit | 957f6e7aa21841acd18caf7411865a9944120d40 (patch) | |
| tree | 46bd17fea6cb94eb60bd6b666b1592d552c072a3 | |
| parent | 2229cbe3427608c84a55f027d4f3f3e45154aa06 (diff) | |
| parent | 71f4930ac7e1caf3a9d4ea3534f56e03be68ac40 (diff) | |
| download | conscrypt-957f6e7aa21841acd18caf7411865a9944120d40.tar.gz | |
Merge "Remove TLS 1.0 and 1.1 from the list of supported protocols." into main
17 files changed, 204 insertions, 72 deletions
diff --git a/android/src/main/java/org/conscrypt/Platform.java b/android/src/main/java/org/conscrypt/Platform.java index 3940f970..b24b1b98 100644 --- a/android/src/main/java/org/conscrypt/Platform.java +++ b/android/src/main/java/org/conscrypt/Platform.java @@ -1085,4 +1085,8 @@ final class Platform { public static boolean isTlsV1Deprecated() { return true; } + + public static boolean isTlsV1Supported() { + return true; + } } diff --git a/common/src/main/java/org/conscrypt/NativeCrypto.java b/common/src/main/java/org/conscrypt/NativeCrypto.java index 7bb509a0..bc8ab05e 100644 --- a/common/src/main/java/org/conscrypt/NativeCrypto.java +++ b/common/src/main/java/org/conscrypt/NativeCrypto.java @@ -780,9 +780,8 @@ public final class NativeCrypto { // --- SSL handling -------------------------------------------------------- - static final String OBSOLETE_PROTOCOL_SSLV3 = "SSLv3"; - private static final String DEPRECATED_PROTOCOL_TLSV1 = "TLSv1"; - private static final String DEPRECATED_PROTOCOL_TLSV1_1 = "TLSv1.1"; + static final String DEPRECATED_PROTOCOL_TLSV1 = "TLSv1"; + static final String DEPRECATED_PROTOCOL_TLSV1_1 = "TLSv1.1"; private static final String SUPPORTED_PROTOCOL_TLSV1_2 = "TLSv1.2"; static final String SUPPORTED_PROTOCOL_TLSV1_3 = "TLSv1.3"; @@ -1022,6 +1021,11 @@ public final class NativeCrypto { DEPRECATED_PROTOCOL_TLSV1_1, }; + private static final String[] SUPPORTED_PROTOCOLS_TLSV1 = Platform.isTlsV1Supported() + ? new String[] { + DEPRECATED_PROTOCOL_TLSV1, + DEPRECATED_PROTOCOL_TLSV1_1, + } : new String[0]; /** Protocols to enable by default when "TLSv1.3" is requested. */ static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues( @@ -1045,12 +1049,13 @@ public final class NativeCrypto { static final String[] TLSV1_PROTOCOLS = TLSV11_PROTOCOLS; static final String[] DEFAULT_PROTOCOLS = TLSV13_PROTOCOLS; - private static final String[] SUPPORTED_PROTOCOLS = new String[] { - DEPRECATED_PROTOCOL_TLSV1, - DEPRECATED_PROTOCOL_TLSV1_1, + + // If we ever get a new protocol go look for tests which are skipped using + // assumeTlsV11Enabled() + private static final String[] SUPPORTED_PROTOCOLS = ArrayUtils.concatValues( + SUPPORTED_PROTOCOLS_TLSV1, SUPPORTED_PROTOCOL_TLSV1_2, - SUPPORTED_PROTOCOL_TLSV1_3, - }; + SUPPORTED_PROTOCOL_TLSV1_3); public static String[] getDefaultProtocols() { if (Platform.isTlsV1Deprecated()) { @@ -1127,11 +1132,7 @@ public final class NativeCrypto { if (protocol == null) { throw new IllegalArgumentException("protocols contains null"); } - if (!protocol.equals(DEPRECATED_PROTOCOL_TLSV1) - && !protocol.equals(DEPRECATED_PROTOCOL_TLSV1_1) - && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2) - && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_3) - && !protocol.equals(OBSOLETE_PROTOCOL_SSLV3)) { + if (!Arrays.asList(SUPPORTED_PROTOCOLS).contains(protocol)) { throw new IllegalArgumentException("protocol " + protocol + " is not supported"); } } diff --git a/common/src/main/java/org/conscrypt/NativeSsl.java b/common/src/main/java/org/conscrypt/NativeSsl.java index 79369caa..ce3dd6b0 100644 --- a/common/src/main/java/org/conscrypt/NativeSsl.java +++ b/common/src/main/java/org/conscrypt/NativeSsl.java @@ -308,8 +308,9 @@ final class NativeSsl { if (parameters.getEnabledProtocols().length == 0 && parameters.isEnabledProtocolsFiltered) { throw new SSLHandshakeException("No enabled protocols; " - + NativeCrypto.OBSOLETE_PROTOCOL_SSLV3 - + " is no longer supported and was filtered from the list"); + + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1 + + " and " + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1 + + " are no longer supported and were filtered from the list"); } NativeCrypto.setEnabledProtocols(ssl, this, parameters.enabledProtocols); NativeCrypto.setEnabledCipherSuites( diff --git a/common/src/main/java/org/conscrypt/SSLParametersImpl.java b/common/src/main/java/org/conscrypt/SSLParametersImpl.java index c38da79e..76fb7ca8 100644 --- a/common/src/main/java/org/conscrypt/SSLParametersImpl.java +++ b/common/src/main/java/org/conscrypt/SSLParametersImpl.java @@ -27,6 +27,7 @@ import java.security.UnrecoverableKeyException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.List; import java.util.Set; import javax.crypto.SecretKey; import javax.net.ssl.KeyManager; @@ -282,7 +283,12 @@ final class SSLParametersImpl implements Cloneable { throw new IllegalArgumentException("protocols == null"); } String[] filteredProtocols = - filterFromProtocols(protocols, NativeCrypto.OBSOLETE_PROTOCOL_SSLV3); + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); } @@ -430,14 +436,15 @@ final class SSLParametersImpl implements Cloneable { * This filters {@code obsoleteProtocol} from the list of {@code protocols} * down to help with app compatibility. */ - private static String[] filterFromProtocols(String[] protocols, String obsoleteProtocol) { - if (protocols.length == 1 && obsoleteProtocol.equals(protocols[0])) { + private static String[] filterFromProtocols(String[] protocols, + List<String> obsoleteProtocols) { + if (protocols.length == 1 && obsoleteProtocols.contains(protocols[0])) { return EMPTY_STRING_ARRAY; } ArrayList<String> newProtocols = new ArrayList<String>(); for (String protocol : protocols) { - if (!obsoleteProtocol.equals(protocol)) { + if (!obsoleteProtocols.contains(protocol)) { newProtocols.add(protocol); } } diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java index 707cbab9..2a5b6444 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java @@ -20,6 +20,8 @@ import static org.conscrypt.TestUtils.osName; import static org.conscrypt.TestUtils.isOsx; import static org.conscrypt.TestUtils.isLinux; import static org.conscrypt.TestUtils.isWindows; +import static org.conscrypt.TestUtils.isTlsV1Deprecated; +import static org.conscrypt.TestUtils.isTlsV1Supported; import static org.conscrypt.TestUtils.UTF_8; import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; @@ -1935,17 +1937,43 @@ public class SSLSocketVersionCompatibilityTest { .build(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); - // For app compatibility, SSLv3 is stripped out when setting only. - client.setEnabledProtocols(new String[] {"SSLv3"}); + assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSLv3"})); + assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSL"})); + } + + @Test + public void test_SSLSocket_TLSv1Supported() throws Exception { + assumeTrue(isTlsV1Supported()); + TestSSLContext context = new TestSSLContext.Builder() + .clientProtocol(clientVersion) + .serverProtocol(serverVersion) + .build(); + final SSLSocket client = + (SSLSocket) context.clientContext.getSocketFactory().createSocket(); + client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1"}); + assertEquals(2, client.getEnabledProtocols().length); + } + + @Test + public void test_SSLSocket_TLSv1Unsupported() throws Exception { + assumeFalse(isTlsV1Supported()); + TestSSLContext context = new TestSSLContext.Builder() + .clientProtocol(clientVersion) + .serverProtocol(serverVersion) + .build(); + final SSLSocket client = + (SSLSocket) context.clientContext.getSocketFactory().createSocket(); + client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1"}); assertEquals(0, client.getEnabledProtocols().length); - try { - client.setEnabledProtocols(new String[] {"SSL"}); - fail("SSLSocket should not support SSL protocol"); - } catch (IllegalArgumentException expected) { - // Ignored. - } } + @Test + public void test_TLSv1Unsupported_notEnabled() throws Exception { + assumeTrue(!isTlsV1Supported()); + assertTrue(isTlsV1Deprecated()); + } + + // Under some circumstances, the file descriptor socket may get finalized but still // be reused by the JDK's built-in HTTP connection reuse code. Ensure that a // SocketException is thrown if that happens. diff --git a/openjdk/src/main/java/org/conscrypt/Platform.java b/openjdk/src/main/java/org/conscrypt/Platform.java index 2a07ac4e..c02c2456 100644 --- a/openjdk/src/main/java/org/conscrypt/Platform.java +++ b/openjdk/src/main/java/org/conscrypt/Platform.java @@ -816,4 +816,8 @@ final class Platform { public static boolean isTlsV1Deprecated() { return true; } + + public static boolean isTlsV1Supported() { + return true; + } } diff --git a/platform/src/main/java/org/conscrypt/Platform.java b/platform/src/main/java/org/conscrypt/Platform.java index ef696184..e99e431e 100644 --- a/platform/src/main/java/org/conscrypt/Platform.java +++ b/platform/src/main/java/org/conscrypt/Platform.java @@ -570,4 +570,8 @@ final class Platform { public static boolean isTlsV1Deprecated() { return true; } + + public static boolean isTlsV1Supported() { + return true; + } } diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java index 025f3dd1..de76ff15 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeCrypto.java @@ -810,9 +810,8 @@ public final class NativeCrypto { // --- SSL handling -------------------------------------------------------- - static final String OBSOLETE_PROTOCOL_SSLV3 = "SSLv3"; - private static final String DEPRECATED_PROTOCOL_TLSV1 = "TLSv1"; - private static final String DEPRECATED_PROTOCOL_TLSV1_1 = "TLSv1.1"; + static final String DEPRECATED_PROTOCOL_TLSV1 = "TLSv1"; + static final String DEPRECATED_PROTOCOL_TLSV1_1 = "TLSv1.1"; private static final String SUPPORTED_PROTOCOL_TLSV1_2 = "TLSv1.2"; static final String SUPPORTED_PROTOCOL_TLSV1_3 = "TLSv1.3"; @@ -1052,6 +1051,12 @@ public final class NativeCrypto { DEPRECATED_PROTOCOL_TLSV1_1, }; + private static final String[] SUPPORTED_PROTOCOLS_TLSV1 = Platform.isTlsV1Supported() + ? new String[] { + DEPRECATED_PROTOCOL_TLSV1, + DEPRECATED_PROTOCOL_TLSV1_1, + } : new String[0]; + /** Protocols to enable by default when "TLSv1.3" is requested. */ static final String[] TLSV13_PROTOCOLS = ArrayUtils.concatValues( ENABLED_PROTOCOLS_TLSV1, SUPPORTED_PROTOCOL_TLSV1_2, SUPPORTED_PROTOCOL_TLSV1_3); @@ -1071,12 +1076,13 @@ public final class NativeCrypto { static final String[] TLSV1_PROTOCOLS = TLSV11_PROTOCOLS; static final String[] DEFAULT_PROTOCOLS = TLSV13_PROTOCOLS; - private static final String[] SUPPORTED_PROTOCOLS = new String[] { - DEPRECATED_PROTOCOL_TLSV1, - DEPRECATED_PROTOCOL_TLSV1_1, + + // If we ever get a new protocol go look for tests which are skipped using + // assumeTlsV11Enabled() + private static final String[] SUPPORTED_PROTOCOLS = ArrayUtils.concatValues( + SUPPORTED_PROTOCOLS_TLSV1, SUPPORTED_PROTOCOL_TLSV1_2, - SUPPORTED_PROTOCOL_TLSV1_3, - }; + SUPPORTED_PROTOCOL_TLSV1_3); public static String[] getDefaultProtocols() { if (Platform.isTlsV1Deprecated()) { @@ -1153,11 +1159,7 @@ public final class NativeCrypto { if (protocol == null) { throw new IllegalArgumentException("protocols contains null"); } - if (!protocol.equals(DEPRECATED_PROTOCOL_TLSV1) - && !protocol.equals(DEPRECATED_PROTOCOL_TLSV1_1) - && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2) - && !protocol.equals(SUPPORTED_PROTOCOL_TLSV1_3) - && !protocol.equals(OBSOLETE_PROTOCOL_SSLV3)) { + if (!Arrays.asList(SUPPORTED_PROTOCOLS).contains(protocol)) { throw new IllegalArgumentException("protocol " + protocol + " is not supported"); } } diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeSsl.java b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeSsl.java index ec245f98..af282615 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/NativeSsl.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/NativeSsl.java @@ -309,8 +309,9 @@ final class NativeSsl { if (parameters.getEnabledProtocols().length == 0 && parameters.isEnabledProtocolsFiltered) { throw new SSLHandshakeException("No enabled protocols; " - + NativeCrypto.OBSOLETE_PROTOCOL_SSLV3 - + " is no longer supported and was filtered from the list"); + + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1 + + " and " + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1 + + " are no longer supported and were filtered from the list"); } NativeCrypto.setEnabledProtocols(ssl, this, parameters.enabledProtocols); NativeCrypto.setEnabledCipherSuites( diff --git a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java index ee2d88e9..93bdc4f8 100644 --- a/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java +++ b/repackaged/common/src/main/java/com/android/org/conscrypt/SSLParametersImpl.java @@ -28,6 +28,7 @@ import java.security.UnrecoverableKeyException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.List; import java.util.Set; import javax.crypto.SecretKey; import javax.net.ssl.KeyManager; @@ -286,7 +287,12 @@ final class SSLParametersImpl implements Cloneable { throw new IllegalArgumentException("protocols == null"); } String[] filteredProtocols = - filterFromProtocols(protocols, NativeCrypto.OBSOLETE_PROTOCOL_SSLV3); + filterFromProtocols(protocols, Arrays.asList(Platform.isTlsV1Supported() + ? new String[0] + : new String[] { + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1, + NativeCrypto.DEPRECATED_PROTOCOL_TLSV1_1, + })); isEnabledProtocolsFiltered = protocols.length != filteredProtocols.length; enabledProtocols = NativeCrypto.checkEnabledProtocols(filteredProtocols).clone(); } @@ -434,14 +440,15 @@ final class SSLParametersImpl implements Cloneable { * This filters {@code obsoleteProtocol} from the list of {@code protocols} * down to help with app compatibility. */ - private static String[] filterFromProtocols(String[] protocols, String obsoleteProtocol) { - if (protocols.length == 1 && obsoleteProtocol.equals(protocols[0])) { + private static String[] filterFromProtocols(String[] protocols, + List<String> obsoleteProtocols) { + if (protocols.length == 1 && obsoleteProtocols.contains(protocols[0])) { return EMPTY_STRING_ARRAY; } ArrayList<String> newProtocols = new ArrayList<String>(); for (String protocol : protocols) { - if (!obsoleteProtocol.equals(protocol)) { + if (!obsoleteProtocols.contains(protocol)) { newProtocols.add(protocol); } } diff --git a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java index 847b20ad..89e34d97 100644 --- a/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java +++ b/repackaged/common/src/test/java/com/android/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java @@ -21,6 +21,8 @@ import static com.android.org.conscrypt.TestUtils.UTF_8; import static com.android.org.conscrypt.TestUtils.isLinux; import static com.android.org.conscrypt.TestUtils.isOsx; import static com.android.org.conscrypt.TestUtils.isWindows; +import static com.android.org.conscrypt.TestUtils.isTlsV1Deprecated; +import static com.android.org.conscrypt.TestUtils.isTlsV1Supported; import static com.android.org.conscrypt.TestUtils.osName; import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; @@ -1936,15 +1938,40 @@ public class SSLSocketVersionCompatibilityTest { .build(); final SSLSocket client = (SSLSocket) context.clientContext.getSocketFactory().createSocket(); - // For app compatibility, SSLv3 is stripped out when setting only. - client.setEnabledProtocols(new String[] {"SSLv3"}); + assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSLv3"})); + assertThrows(IllegalArgumentException.class, () -> client.setEnabledProtocols(new String[] {"SSL"})); + } + + @Test + public void test_SSLSocket_TLSv1Supported() throws Exception { + assumeTrue(isTlsV1Supported()); + TestSSLContext context = new TestSSLContext.Builder() + .clientProtocol(clientVersion) + .serverProtocol(serverVersion) + .build(); + final SSLSocket client = + (SSLSocket) context.clientContext.getSocketFactory().createSocket(); + client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1"}); + assertEquals(2, client.getEnabledProtocols().length); + } + + @Test + public void test_SSLSocket_TLSv1Unsupported() throws Exception { + assumeFalse(isTlsV1Supported()); + TestSSLContext context = new TestSSLContext.Builder() + .clientProtocol(clientVersion) + .serverProtocol(serverVersion) + .build(); + final SSLSocket client = + (SSLSocket) context.clientContext.getSocketFactory().createSocket(); + client.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1"}); assertEquals(0, client.getEnabledProtocols().length); - try { - client.setEnabledProtocols(new String[] {"SSL"}); - fail("SSLSocket should not support SSL protocol"); - } catch (IllegalArgumentException expected) { - // Ignored. - } + } + + @Test + public void test_TLSv1Unsupported_notEnabled() throws Exception { + assumeTrue(!isTlsV1Supported()); + assertTrue(isTlsV1Deprecated()); } // Under some circumstances, the file descriptor socket may get finalized but still diff --git a/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java b/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java index 44523b10..d76d7e68 100644 --- a/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java +++ b/repackaged/openjdk/src/main/java/com/android/org/conscrypt/Platform.java @@ -817,4 +817,8 @@ final class Platform { public static boolean isTlsV1Deprecated() { return true; } + + public static boolean isTlsV1Supported() { + return true; + } } diff --git a/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java b/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java index 3ad55e27..63af3e38 100644 --- a/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java +++ b/repackaged/platform/src/main/java/com/android/org/conscrypt/Platform.java @@ -571,4 +571,8 @@ final class Platform { public static boolean isTlsV1Deprecated() { return true; } + + public static boolean isTlsV1Supported() { + return true; + } } diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java index c98a1ef6..55ad2768 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/TestUtils.java @@ -839,4 +839,18 @@ public final class TestUtils { throw new IllegalStateException("Reflection failure", e); } } + + // Find base method via reflection due to possible version skew on Android + // and visibility issues when building with Gradle. + public static boolean isTlsV1Supported() { + try { + return (Boolean) conscryptClass("Platform") + .getDeclaredMethod("isTlsV1Supported") + .invoke(null); + } catch (NoSuchMethodException e) { + return true; + } catch (ClassNotFoundException | IllegalAccessException | InvocationTargetException e) { + throw new IllegalStateException("Reflection failure", e); + } + } } diff --git a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java index 2c59d82f..1bf9b872 100644 --- a/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java +++ b/repackaged/testing/src/main/java/com/android/org/conscrypt/java/security/StandardNames.java @@ -153,17 +153,15 @@ public final class StandardNames { provideCipherPaddings("AES", new String[] {"PKCS7Padding"}); } - provideSslContextEnabledProtocols("TLS", TLSVersion.TLSv1, TLSVersion.TLSv13); - provideSslContextEnabledProtocols("TLSv1", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.1", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.2", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.3", TLSVersion.TLSv1, TLSVersion.TLSv13); - provideSslContextEnabledProtocols("Default", TLSVersion.TLSv1, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("TLS", TLSVersion.TLSv12, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("TLSv1.2", TLSVersion.TLSv12, TLSVersion.TLSv12); + provideSslContextEnabledProtocols("TLSv1.3", TLSVersion.TLSv12, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("Default", TLSVersion.TLSv12, TLSVersion.TLSv13); } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( - Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); + Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); // Deprecated TLS protocols... May or may not be present or enabled. @@ -185,8 +183,15 @@ public final class StandardNames { } } - public static final Set<String> SSL_SOCKET_PROTOCOLS = - new HashSet<String>(Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); + public static final Set<String> SSL_SOCKET_PROTOCOLS = new HashSet<>(); + static { + SSL_SOCKET_PROTOCOLS.add("TLSv1.2"); + SSL_SOCKET_PROTOCOLS.add("TLSv1.3"); + if (TestUtils.isTlsV1Supported()) { + SSL_SOCKET_PROTOCOLS.add("TLSv1"); + SSL_SOCKET_PROTOCOLS.add("TLSv1.1"); + } + } private enum TLSVersion { SSLv3("SSLv3"), diff --git a/testing/src/main/java/org/conscrypt/TestUtils.java b/testing/src/main/java/org/conscrypt/TestUtils.java index 92bce9e7..00ff0dc7 100644 --- a/testing/src/main/java/org/conscrypt/TestUtils.java +++ b/testing/src/main/java/org/conscrypt/TestUtils.java @@ -833,4 +833,18 @@ public final class TestUtils { throw new IllegalStateException("Reflection failure", e); } } + + // Find base method via reflection due to possible version skew on Android + // and visibility issues when building with Gradle. + public static boolean isTlsV1Supported() { + try { + return (Boolean) conscryptClass("Platform") + .getDeclaredMethod("isTlsV1Supported") + .invoke(null); + } catch (NoSuchMethodException e) { + return true; + } catch (ClassNotFoundException | IllegalAccessException | InvocationTargetException e) { + throw new IllegalStateException("Reflection failure", e); + } + } } diff --git a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java index 54a26d0c..609581d5 100644 --- a/testing/src/main/java/org/conscrypt/java/security/StandardNames.java +++ b/testing/src/main/java/org/conscrypt/java/security/StandardNames.java @@ -152,17 +152,15 @@ public final class StandardNames { provideCipherPaddings("AES", new String[] {"PKCS7Padding"}); } - provideSslContextEnabledProtocols("TLS", TLSVersion.TLSv1, TLSVersion.TLSv13); - provideSslContextEnabledProtocols("TLSv1", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.1", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.2", TLSVersion.TLSv1, TLSVersion.TLSv12); - provideSslContextEnabledProtocols("TLSv1.3", TLSVersion.TLSv1, TLSVersion.TLSv13); - provideSslContextEnabledProtocols("Default", TLSVersion.TLSv1, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("TLS", TLSVersion.TLSv12, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("TLSv1.2", TLSVersion.TLSv12, TLSVersion.TLSv12); + provideSslContextEnabledProtocols("TLSv1.3", TLSVersion.TLSv12, TLSVersion.TLSv13); + provideSslContextEnabledProtocols("Default", TLSVersion.TLSv12, TLSVersion.TLSv13); } public static final String SSL_CONTEXT_PROTOCOLS_DEFAULT = "Default"; public static final Set<String> SSL_CONTEXT_PROTOCOLS = new HashSet<String>( - Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); + Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.2", "TLSv1.3")); public static final Set<String> SSL_CONTEXT_PROTOCOLS_WITH_DEFAULT_CONFIG = new HashSet<String>( Arrays.asList(SSL_CONTEXT_PROTOCOLS_DEFAULT, "TLS", "TLSv1.3")); // Deprecated TLS protocols... May or may not be present or enabled. @@ -184,8 +182,15 @@ public final class StandardNames { } } - public static final Set<String> SSL_SOCKET_PROTOCOLS = - new HashSet<String>(Arrays.asList("TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3")); + public static final Set<String> SSL_SOCKET_PROTOCOLS = new HashSet<>(); + static { + SSL_SOCKET_PROTOCOLS.add("TLSv1.2"); + SSL_SOCKET_PROTOCOLS.add("TLSv1.3"); + if (TestUtils.isTlsV1Supported()) { + SSL_SOCKET_PROTOCOLS.add("TLSv1"); + SSL_SOCKET_PROTOCOLS.add("TLSv1.1"); + } + } private enum TLSVersion { SSLv3("SSLv3"), |