Project

General

Profile

[Replicant 4.2] TLS 1.2 as a default protocol

Added by Grim Kriegor almost 2 years ago

Good evening gentlemen.

During the weekend, while trying to chat via XMPP with friends, I realized Conversations was unable to do HTTP Upload to the server patchcord.be.
The sysadmin of the server informed me TLS 1.2 was required and I later realized Replicant 4.2, as well as the equivalent CyanogenMod and AOSP versions, do not have TLS 1.2 listed as a default protocol, even though it is supported.

By simply hacking replicant-4.2/libcore and adding TLS 1.2 as a default protocol, Conversations was able to communicate with the HTTP server.

diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
index 65373ff..6b7edd3 100644
--- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
@@ -463,16 +463,20 @@ public final class NativeCrypto {
     public static native long SSL_clear_options(int ssl, long options);

     public static String[] getDefaultProtocols() {
-        return new String[] { SUPPORTED_PROTOCOL_SSLV3,
+        return new String[] {
+                              SUPPORTED_PROTOCOL_TLSV1_2,
+                              SUPPORTED_PROTOCOL_TLSV1_1,
                               SUPPORTED_PROTOCOL_TLSV1,
+                              SUPPORTED_PROTOCOL_SSLV3,
         };
     }

     public static String[] getSupportedProtocols() {
-        return new String[] { SUPPORTED_PROTOCOL_SSLV3,
-                              SUPPORTED_PROTOCOL_TLSV1,
-                              SUPPORTED_PROTOCOL_TLSV1_1,
+        return new String[] {
                               SUPPORTED_PROTOCOL_TLSV1_2,
+                              SUPPORTED_PROTOCOL_TLSV1_1,
+                              SUPPORTED_PROTOCOL_TLSV1,
+                              SUPPORTED_PROTOCOL_SSLV3,
         };
     }

Does this change have any downsides? Hope it proves useful for someone.

Build with this and other changes: https://github.com/GrimKriegor/replicant


Replies (2)

RE: [Replicant 4.2] TLS 1.2 as a default protocol - Added by Wolfgang Wiedmeyer almost 2 years ago

Quite some time ago, I already submitted some patches that fix TLS/SSL related issues: http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150921/000810.html

Besides enabling TLS 1.2 and TLS 1.1, the patches also fix some other security issues like weak ciphers or the Logjam vulnerability.

I also patched multiple known security issues in the Openssl version that Replicant 4.2 is using: https://code.fossencdi.org/replicant_openssl.git/.

RE: [Replicant 4.2] TLS 1.2 as a default protocol - Added by Grim Kriegor almost 2 years ago

Should have checked your repos for juicy changes beforehand, thanks a lot for your work, great stuff as always!

Simply cloned your openssl repository, applied your changes to libcore regarding the weak ciphers and everything seems to be working perfectly.

Awesome!

    (1-2/2)