Bug 1061273 - Part 2: use per-version DEFAULT_PROTOCOLS and DEFAULT_CIPHER_SUITES. r=nalexander

This commit is contained in:
Richard Newman 2015-06-04 11:07:32 -07:00
parent 4a0a0c0ebb
commit 337d084746

View File

@ -38,23 +38,76 @@ public class GlobalConstants {
// Acceptable cipher suites.
/**
* We support only a very limited range of strong cipher suites and protocols:
* no SSLv3 or TLSv1.0 (if we can), no DHE ciphers that might be vulnerable to Logjam
* (https://weakdh.org/), no RC4.
*
* Backstory: Bug 717691 (we no longer support Android 2.2, so the name
* workaround is unnecessary), Bug 1081953, Bug 1061273, Bug 1166839.
*
* See <http://developer.android.com/reference/javax/net/ssl/SSLSocket.html> for
* supported Android versions for each set of protocols and cipher suites.
*
* Note that currently we need to support connections to Sync 1.1 on Mozilla-hosted infra,
* as well as connections to FxA and Sync 1.5 on AWS.
*
* ELB cipher suites:
* <http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html>
*/
public static final String[] DEFAULT_CIPHER_SUITES;
public static final String[] DEFAULT_PROTOCOLS;
static {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_RC4_128_SHA", // "RC4_SHA"
};
DEFAULT_PROTOCOLS = new String[]
{
"SSLv3",
"TLSv1",
};
// Prioritize 128 over 256 as a tradeoff between device CPU/battery and the minor
// increase in strength.
if (Versions.feature20Plus) {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // 20+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // 20+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+
};
} else if (Versions.feature11Plus) {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", // 11+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+
"TLS_RSA_WITH_AES_256_CBC_SHA", // 9+
};
} else { // 9+
// Fall back to the only half-decent cipher suites supported on Gingerbread.
// N.B., there appears to be *no overlap* between the ELB 2015-05 default
// suites and Gingerbread. A custom configuration is needed if moving beyond
// the 2015-03 defaults.
DEFAULT_CIPHER_SUITES = new String[]
{
// This is for Sync 1.5 on ELB 2015-03.
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
// This is for Sync 1.1.
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", // 9+
"TLS_RSA_WITH_AES_256_CBC_SHA", // 9+
};
}
if (Versions.feature16Plus) {
DEFAULT_PROTOCOLS = new String[]
{
"TLSv1.2",
"TLSv1.1",
};
} else {
// Fall back to TLSv1 if there's nothing better.
DEFAULT_PROTOCOLS = new String[]
{
"TLSv1",
};
}
}
}