Merge pull request #421 from silkimen/feat/#420-implement-blacklist-to-disable-TLS-protocols-on-Android

silkimen · web-flow · commit d077d02062a3 · 2021-07-15T14:35:24.000+02:00
feat: #420 implement blacklist to disable unsafe SSL/TLS protocol ver…
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 3.2.0
+
+- Feature #420: implement blacklist feature to disable SSL/TLS versions on Android (thanks to @MobisysGmbH)
+
 ## 3.1.1
 
 - Fixed #372: malformed empty multipart request on Android
diff --git a/README.md b/README.md
@@ -34,6 +34,15 @@ phonegap plugin add cordova-plugin-advanced-http
 cordova plugin add cordova-plugin-advanced-http
 ```
 
+### Plugin Preferences
+
+`AndroidBlacklistSecureSocketProtocols`: define a blacklist of secure socket protocols for Android. This preference allows you to disable protocols which are considered unsafe. You need to provide a comma-separated list of protocols ([check Android SSLSocket#protocols docu for protocol names](https://developer.android.com/reference/javax/net/ssl/SSLSocket#protocols)).
+
+e.g. blacklist `SSLv3` and `TLSv1`:
+```xml
+<preference name="AndroidBlacklistSecureSocketProtocols" value="SSLv3,TLSv1" />
+```
+
 ## Usage
 
 ### Plain Cordova
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cordova-plugin-advanced-http",
-  "version": "3.1.1",
+  "version": "3.2.0",
   "description": "Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning",
   "scripts": {
     "updatecert": "node ./scripts/update-e2e-server-cert.js && node ./scripts/update-e2e-client-cert.js",
diff --git a/plugin.xml b/plugin.xml
@@ -8,6 +8,7 @@
     <engine name="cordova" version=">=4.0.0"/>
   </engines>
   <dependency id="cordova-plugin-file" version=">=2.0.0"/>
+  <preference name="AndroidBlacklistSecureSocketProtocols" default="SSLv3,TLSv1"/>
   <js-module src="www/cookie-handler.js" name="cookie-handler"/>
   <js-module src="www/dependency-validator.js" name="dependency-validator"/>
   <js-module src="www/error-codes.js" name="error-codes"/>
diff --git a/src/android/com/silkimen/cordovahttp/CordovaHttpPlugin.java b/src/android/com/silkimen/cordovahttp/CordovaHttpPlugin.java
@@ -47,6 +47,13 @@ public void initialize(CordovaInterface cordova, CordovaWebView webView) {
 
       this.tlsConfiguration.setHostnameVerifier(null);
       this.tlsConfiguration.setTrustManagers(tmf.getTrustManagers());
+
+      if (this.preferences.contains("androidblacklistsecuresocketprotocols")) {
+        this.tlsConfiguration.setBlacklistedProtocols(
+          this.preferences.getString("androidblacklistsecuresocketprotocols", "").split(",")
+        );
+      }
+
     } catch (Exception e) {
       Log.e(TAG, "An error occured while loading system's CA certificates", e);
     }
diff --git a/src/android/com/silkimen/http/TLSConfiguration.java b/src/android/com/silkimen/http/TLSConfiguration.java
@@ -13,9 +13,10 @@
 import com.silkimen.http.TLSSocketFactory;
 
 public class TLSConfiguration {
-  private TrustManager[] trustManagers;
-  private KeyManager[] keyManagers;
-  private HostnameVerifier hostnameVerifier;
+  private TrustManager[] trustManagers = null;
+  private KeyManager[] keyManagers = null;
+  private HostnameVerifier hostnameVerifier = null;
+  private String[] blacklistedProtocols = {};
 
   private SSLSocketFactory socketFactory;
 
@@ -33,6 +34,11 @@ public void setTrustManagers(TrustManager[] trustManagers) {
     this.socketFactory = null;
   }
 
+  public void setBlacklistedProtocols(String[] protocols) {
+    this.blacklistedProtocols = protocols;
+    this.socketFactory = null;
+  }
+
   public HostnameVerifier getHostnameVerifier() {
     return this.hostnameVerifier;
   }
@@ -46,12 +52,7 @@ public SSLSocketFactory getTLSSocketFactory() throws IOException {
       SSLContext context = SSLContext.getInstance("TLS");
 
       context.init(this.keyManagers, this.trustManagers, new SecureRandom());
-
-      if (android.os.Build.VERSION.SDK_INT < 20) {
-        this.socketFactory = new TLSSocketFactory(context);
-      } else {
-        this.socketFactory = context.getSocketFactory();
-      }
+      this.socketFactory = new TLSSocketFactory(context, this.blacklistedProtocols);
 
       return this.socketFactory;
     } catch (GeneralSecurityException e) {
diff --git a/src/android/com/silkimen/http/TLSSocketFactory.java b/src/android/com/silkimen/http/TLSSocketFactory.java
@@ -5,16 +5,21 @@
 import java.net.Socket;
 import java.net.UnknownHostException;
 
+import java.util.Arrays;
+import java.util.stream.Stream;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
 public class TLSSocketFactory extends SSLSocketFactory {
 
   private SSLSocketFactory delegate;
+  private String[] blacklistedProtocols;
 
-  public TLSSocketFactory(SSLContext context) {
-    delegate = context.getSocketFactory();
+  public TLSSocketFactory(SSLContext context, String[] blacklistedProtocols) {
+    this.delegate = context.getSocketFactory();
+    this.blacklistedProtocols = Arrays.stream(blacklistedProtocols).map(String::trim).toArray(String[]::new);
   }
 
   @Override
@@ -55,9 +60,18 @@ public Socket createSocket(InetAddress address, int port, InetAddress localAddre
   }
 
   private Socket enableTLSOnSocket(Socket socket) {
-    if (socket != null && (socket instanceof SSLSocket)) {
-      ((SSLSocket) socket).setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" });
+    if (socket == null || !(socket instanceof SSLSocket)) {
+      return socket;
     }
+
+    String[] supported = ((SSLSocket) socket).getSupportedProtocols();
+
+    String[] filtered = Arrays.stream(supported).filter(
+      val -> Arrays.stream(this.blacklistedProtocols).noneMatch(val::equals)
+    ).toArray(String[]::new);
+
+    ((SSLSocket) socket).setEnabledProtocols(filtered);
+
     return socket;
   }
 }
diff --git a/test/e2e-app-template/config.xml b/test/e2e-app-template/config.xml
@@ -27,4 +27,5 @@
         <allow-intent href="itms-apps:*" />
     </platform>
     <preference name="AndroidPersistentFileLocation" value="Internal" />
+    <preference name="AndroidBlacklistSecureSocketProtocols" value="SSLv3,TLSv1" />
 </widget>
diff --git a/test/e2e-specs.js b/test/e2e-specs.js
@@ -104,9 +104,13 @@ const helpers = {
 
     return buffer;
   },
+  isTlsBlacklistSupported: function () {
+    return window.cordova && window.cordova.platformId === 'android';
+  }
 };
 
 const messageFactory = {
+  handshakeFailed: function() { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: Handshake failed' },
   sslTrustAnchor: function () { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.' },
   invalidCertificate: function (domain) { return 'The certificate for this server is invalid. You might be connecting to a server that is pretending to be “' + domain + '” which could put your confidential information at risk.' }
 }
@@ -1014,8 +1018,7 @@ const tests = [
     before: helpers.setRawSerializer,
     func: function (resolve, reject, skip) {
       if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
       }
 
       var targetUrl = 'http://httpbin.org/post';
@@ -1036,8 +1039,7 @@ const tests = [
     expected: 'rejected: {"status":-8, "error": "Request ...}',
     func: function (resolve, reject, skip) {
       if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
       }
       var url = 'https://httpbin.org/drip?duration=2&numbytes=10&code=200';
       var options = { method: 'get', responseType: 'blob' };
@@ -1064,8 +1066,7 @@ const tests = [
     expected: 'rejected: {"status":-8, "error": "Request ...}',
     func: function (resolve, reject, skip) {
       if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
       }
       var sourceUrl = 'http://httpbin.org/xml';
       var targetPath = cordova.file.cacheDirectory + 'test.xml';
@@ -1097,8 +1098,7 @@ const tests = [
     expected: 'rejected: {"status":-8, "error": "Request ...}',
     func: function (resolve, reject, skip) {
       if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
       }
 
 
@@ -1148,6 +1148,21 @@ const tests = [
       }
     }
   },
+  {
+    description: 'should reject connecting to server with blacklisted SSL version #420',
+    expected: 'rejected: {"status":-2, ...',
+    func: function (resolve, reject, skip) {
+      if (!helpers.isTlsBlacklistSupported()) {
+        return skip();
+      }
+
+      cordova.plugin.http.get('https://tls-v1-0.badssl.com:1010/', {}, {}, resolve, reject);
+    },
+    validationFunc: function (driver, result) {
+      result.type.should.be.equal('rejected');
+      result.data.should.be.eql({ status: -2, error: messageFactory.handshakeFailed() });
+    }
+  },
 ];
 
 if (typeof module !== 'undefined' && module.exports) {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cordova-plugin-advanced-http",`
`3`		`- "version": "3.1.1",`
	`3`	`+ "version": "3.2.0",`
`4`	`4`	`"description": "Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning",`
`5`	`5`	`"scripts": {`
`6`	`6`	`"updatecert": "node ./scripts/update-e2e-server-cert.js && node ./scripts/update-e2e-client-cert.js",`