[Replicant 4.2] TLS 1.2 as a default protocol
Added by Grim Kriegor almost 8 years ago
Good evening gentlemen.
During the weekend, while trying to chat via XMPP with friends, I realized Conversations was unable to do HTTP Upload to the server patchcord.be.
The sysadmin of the server informed me TLS 1.2 was required and I later realized Replicant 4.2, as well as the equivalent CyanogenMod and AOSP versions, do not have TLS 1.2 listed as a default protocol, even though it is supported.
By simply hacking replicant-4.2/libcore and adding TLS 1.2 as a default protocol, Conversations was able to communicate with the HTTP server.
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java index 65373ff..6b7edd3 100644 --- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java +++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java @@ -463,16 +463,20 @@ public final class NativeCrypto { public static native long SSL_clear_options(int ssl, long options); public static String[] getDefaultProtocols() { - return new String[] { SUPPORTED_PROTOCOL_SSLV3, + return new String[] { + SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_1, SUPPORTED_PROTOCOL_TLSV1, + SUPPORTED_PROTOCOL_SSLV3, }; } public static String[] getSupportedProtocols() { - return new String[] { SUPPORTED_PROTOCOL_SSLV3, - SUPPORTED_PROTOCOL_TLSV1, - SUPPORTED_PROTOCOL_TLSV1_1, + return new String[] { SUPPORTED_PROTOCOL_TLSV1_2, + SUPPORTED_PROTOCOL_TLSV1_1, + SUPPORTED_PROTOCOL_TLSV1, + SUPPORTED_PROTOCOL_SSLV3, }; }
Does this change have any downsides? Hope it proves useful for someone.
Build with this and other changes: https://github.com/GrimKriegor/replicant
Replies (2)
RE: [Replicant 4.2] TLS 1.2 as a default protocol - Added by Wolfgang Wiedmeyer almost 8 years ago
Quite some time ago, I already submitted some patches that fix TLS/SSL related issues: http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150921/000810.html
Besides enabling TLS 1.2 and TLS 1.1, the patches also fix some other security issues like weak ciphers or the Logjam vulnerability.
I also patched multiple known security issues in the Openssl version that Replicant 4.2 is using: https://code.fossencdi.org/replicant_openssl.git/.
RE: [Replicant 4.2] TLS 1.2 as a default protocol - Added by Grim Kriegor almost 8 years ago
Should have checked your repos for juicy changes beforehand, thanks a lot for your work, great stuff as always!
Simply cloned your openssl repository, applied your changes to libcore regarding the weak ciphers and everything seems to be working perfectly.
Awesome!