Example 16 with ConnectionSpec
use of okhttp3.ConnectionSpec in project okhttp by square.
the class ConnectionSpecTest method allEnabledTlsVersions.
@Test
public void allEnabledTlsVersions() throws Exception {
platform.assumeNotConscrypt();
ConnectionSpec tlsSpec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).allEnabledTlsVersions().build();
assertThat(tlsSpec.tlsVersions()).isNull();
SSLSocket sslSocket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();
if (PlatformVersion.INSTANCE.getMajorVersion() > 11) {
sslSocket.setEnabledProtocols(new String[] { TlsVersion.SSL_3_0.javaName(), TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName(), TlsVersion.TLS_1_3.javaName() });
} else {
sslSocket.setEnabledProtocols(new String[] { TlsVersion.SSL_3_0.javaName(), TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName() });
}
applyConnectionSpec(tlsSpec, sslSocket, false);
if (Platform.Companion.isAndroid()) {
Integer sdkVersion = platform.androidSdkVersion();
// https://developer.android.com/reference/javax/net/ssl/SSLSocket
if (sdkVersion != null && sdkVersion >= 29) {
assertThat(sslSocket.getEnabledProtocols()).containsExactly(TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName(), TlsVersion.TLS_1_3.javaName());
} else if (sdkVersion != null && sdkVersion >= 26) {
assertThat(sslSocket.getEnabledProtocols()).containsExactly(TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName());
} else {
assertThat(sslSocket.getEnabledProtocols()).containsExactly(TlsVersion.SSL_3_0.javaName(), TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName());
}
} else {
if (PlatformVersion.INSTANCE.getMajorVersion() > 11) {
assertThat(sslSocket.getEnabledProtocols()).containsExactly(TlsVersion.SSL_3_0.javaName(), TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName(), TlsVersion.TLS_1_3.javaName());
} else {
assertThat(sslSocket.getEnabledProtocols()).containsExactly(TlsVersion.SSL_3_0.javaName(), TlsVersion.TLS_1_1.javaName(), TlsVersion.TLS_1_2.javaName());
}
}
}
Also used :
Internal.applyConnectionSpec(okhttp3.internal.Internal.applyConnectionSpec)
SSLSocket(javax.net.ssl.SSLSocket)
Test(org.junit.jupiter.api.Test)
Example 17 with ConnectionSpec
use of okhttp3.ConnectionSpec in project sonarqube by SonarSource.
the class OkHttpClientBuilder method build.
public OkHttpClient build() {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
builder.proxy(proxy);
if (connectTimeoutMs >= 0) {
builder.connectTimeout(connectTimeoutMs, TimeUnit.MILLISECONDS);
}
if (readTimeoutMs >= 0) {
builder.readTimeout(readTimeoutMs, TimeUnit.MILLISECONDS);
}
builder.addNetworkInterceptor(this::addHeaders);
if (proxyLogin != null) {
builder.proxyAuthenticator((route, response) -> {
if (response.request().header(PROXY_AUTHORIZATION) != null) {
// Give up, we've already attempted to authenticate.
return null;
}
if (HttpURLConnection.HTTP_PROXY_AUTH == response.code()) {
String credential = Credentials.basic(proxyLogin, nullToEmpty(proxyPassword), UTF_8);
return response.request().newBuilder().header(PROXY_AUTHORIZATION, credential).build();
}
return null;
});
}
if (followRedirects != null) {
builder.followRedirects(followRedirects);
builder.followSslRedirects(followRedirects);
}
ConnectionSpec tls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).allEnabledTlsVersions().allEnabledCipherSuites().supportsTlsExtensions(true).build();
builder.connectionSpecs(asList(tls, ConnectionSpec.CLEARTEXT));
X509TrustManager trustManager = sslTrustManager != null ? sslTrustManager : systemDefaultTrustManager();
SSLSocketFactory sslFactory = sslSocketFactory != null ? sslSocketFactory : systemDefaultSslSocketFactory(trustManager);
builder.sslSocketFactory(sslFactory, trustManager);
return builder.build();
}
Also used :
OkHttpClient(okhttp3.OkHttpClient)
ConnectionSpec(okhttp3.ConnectionSpec)
X509TrustManager(javax.net.ssl.X509TrustManager)
SSLSocketFactory(javax.net.ssl.SSLSocketFactory)
Example 18 with ConnectionSpec
use of okhttp3.ConnectionSpec in project okhttp by square.
the class ConnectionSpecSelector method configureSecureSocket.
/**
* Configures the supplied {@link SSLSocket} to connect to the specified host using an appropriate
* {@link ConnectionSpec}. Returns the chosen {@link ConnectionSpec}, never {@code null}.
*
* @throws IOException if the socket does not support any of the TLS modes available
*/
public ConnectionSpec configureSecureSocket(SSLSocket sslSocket) throws IOException {
ConnectionSpec tlsConfiguration = null;
for (int i = nextModeIndex, size = connectionSpecs.size(); i < size; i++) {
ConnectionSpec connectionSpec = connectionSpecs.get(i);
if (connectionSpec.isCompatible(sslSocket)) {
tlsConfiguration = connectionSpec;
nextModeIndex = i + 1;
break;
}
}
if (tlsConfiguration == null) {
// protocols than was suggested by a prior socket).
throw new UnknownServiceException("Unable to find acceptable protocols. isFallback=" + isFallback + ", modes=" + connectionSpecs + ", supported protocols=" + Arrays.toString(sslSocket.getEnabledProtocols()));
}
isFallbackPossible = isFallbackPossible(sslSocket);
Internal.instance.apply(tlsConfiguration, sslSocket, isFallback);
return tlsConfiguration;
}
Also used :
ConnectionSpec(okhttp3.ConnectionSpec)
UnknownServiceException(java.net.UnknownServiceException)
Example 19 with ConnectionSpec
use of okhttp3.ConnectionSpec in project Tusky by Vavassor.
the class OkHttpUtils method getCompatibleClientBuilder.
/**
* Makes a Builder with the maximum range of TLS versions and cipher suites enabled.
*
* It first tries the "approved" list of cipher suites given in OkHttp (the default in
* ConnectionSpec.MODERN_TLS) and if that doesn't work falls back to the set of ALL enabled,
* then falls back to plain http.
*
* API level 24 has a regression in elliptic curves where it only supports secp256r1, so this
* first tries a fallback without elliptic curves at all, and then tries them after.
*
* TLS 1.1 and 1.2 have to be manually enabled on API levels 16-20.
*/
@NonNull
public static OkHttpClient.Builder getCompatibleClientBuilder() {
ConnectionSpec fallback = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).allEnabledCipherSuites().supportsTlsExtensions(true).build();
List<ConnectionSpec> specList = new ArrayList<>();
specList.add(ConnectionSpec.MODERN_TLS);
addNougatFixConnectionSpec(specList);
specList.add(fallback);
specList.add(ConnectionSpec.CLEARTEXT);
OkHttpClient.Builder builder = new OkHttpClient.Builder().addInterceptor(getUserAgentInterceptor()).connectionSpecs(specList);
return enableHigherTlsOnPreLollipop(builder);
}
Also used :
OkHttpClient(okhttp3.OkHttpClient)
ConnectionSpec(okhttp3.ConnectionSpec)
ArrayList(java.util.ArrayList)
NonNull(android.support.annotation.NonNull)
Example 20 with ConnectionSpec
use of okhttp3.ConnectionSpec in project Tusky by Vavassor.
the class OkHttpUtils method addNougatFixConnectionSpec.
/**
* Android version Nougat has a regression where elliptic curve cipher suites are supported, but
* only the curve secp256r1 is allowed. So, first it's best to just disable all elliptic
* ciphers, try the connection, and fall back to the all cipher suites enabled list after.
*/
private static void addNougatFixConnectionSpec(List<ConnectionSpec> specList) {
if (Build.VERSION.SDK_INT != Build.VERSION_CODES.N) {
return;
}
SSLSocketFactory socketFactory;
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManager }, null);
socketFactory = sslContext.getSocketFactory();
} catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
Log.e(TAG, "Failed obtaining the SSL socket factory.");
return;
}
String[] cipherSuites = socketFactory.getDefaultCipherSuites();
ArrayList<String> allowedList = new ArrayList<>();
for (String suite : cipherSuites) {
if (!suite.contains("ECDH")) {
allowedList.add(suite);
}
}
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).cipherSuites(allowedList.toArray(new String[0])).supportsTlsExtensions(true).build();
specList.add(spec);
}
Also used :
ConnectionSpec(okhttp3.ConnectionSpec)
ArrayList(java.util.ArrayList)
SSLContext(javax.net.ssl.SSLContext)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyStoreException(java.security.KeyStoreException)
KeyManagementException(java.security.KeyManagementException)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
SSLSocketFactory(javax.net.ssl.SSLSocketFactory)
Aggregations
ConnectionSpec (okhttp3.ConnectionSpec)18
Internal.applyConnectionSpec (okhttp3.internal.Internal.applyConnectionSpec)18
Test (org.junit.jupiter.api.Test)18
ArrayList (java.util.ArrayList)11
SSLSocket (javax.net.ssl.SSLSocket)9
X509TrustManager (javax.net.ssl.X509TrustManager)9
OkHttpClient (okhttp3.OkHttpClient)7
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)6
SSLContext (javax.net.ssl.SSLContext)5
TrustManager (javax.net.ssl.TrustManager)5
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)5
IOException (java.io.IOException)4
KeyManagementException (java.security.KeyManagementException)3
KeyStoreException (java.security.KeyStoreException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
NonNull (android.support.annotation.NonNull)2
UnknownServiceException (java.net.UnknownServiceException)2
HttpLoggingInterceptor (okhttp3.logging.HttpLoggingInterceptor)2
GsonBuilder (com.google.gson.GsonBuilder)1
FileNotFoundException (java.io.FileNotFoundException)1
