Commit 0e3348c2 authored by Ricki Hirner's avatar Ricki Hirner 🐑

Exception handling, verbose TLS logs

* handle IllegalArgumentException in Tasks provider (show LocalStorageException notification) (closes #601)
* add more verbose TLS cipher logs (see #608)
parent 65307f9d
......@@ -378,7 +378,7 @@ public abstract class LocalCollection<T extends Resource> {
affected = 1;
Log.d(TAG, "... " + affected + " record(s) affected");
pendingOperations.clear();
} catch(OperationApplicationException | RemoteException ex) {
} catch(IllegalArgumentException|OperationApplicationException|RemoteException ex) {
throw new LocalStorageException(ex);
}
return affected;
......
......@@ -55,9 +55,9 @@ public class TlsSniSocketFactory extends SSLConnectionSocketFactory {
Log.v(TAG, "Setting allowed TLS protocols: " + StringUtils.join(protocols, ", "));
TlsSniSocketFactory.protocols = protocols.toArray(new String[protocols.size()]);
/* set reasonable cipher suites */
/* set up reasonable cipher suites */
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
// choose secure cipher suites
// choose known secure cipher suites
List<String> allowedCiphers = Arrays.asList(
// TLS 1.2
"TLS_RSA_WITH_AES_256_GCM_SHA384",
......@@ -78,19 +78,23 @@ public class TlsSniSocketFactory extends SSLConnectionSocketFactory {
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());
Log.v(TAG, "Available cipher suites: " + StringUtils.join(availableCiphers, ", "));
Log.v(TAG, "Cipher suites enabled by default: " + StringUtils.join(socket.getEnabledCipherSuites(), ", "));
// preferred ciphers = allowed Ciphers \ availableCiphers
// take all allowed ciphers that are available and put them into preferredCiphers
HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers);
preferredCiphers.retainAll(availableCiphers);
/* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling
* ciphers which are enabled by default, but have become unsecure), but I guess for
* the security level of DAVdroid and maximum compatibility, disabling of insecure
* ciphers should be a server-side task */
// add preferred ciphers to enabled ciphers
// for maximum security, preferred ciphers should *replace* enabled ciphers,
// but I guess for the security level of DAVdroid, disabling of insecure
// ciphers should be a server-side task
HashSet<String> enabledCiphers = preferredCiphers;
enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));
Log.v(TAG, "Setting allowed TLS ciphers: " + StringUtils.join(enabledCiphers, ", "));
Log.v(TAG, "Enabling (only) those TLS ciphers: " + StringUtils.join(enabledCiphers, ", "));
TlsSniSocketFactory.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);
}
} catch (IOException e) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment