Not all cipher suites are supported on all platforms. As newer cipher suites * are created (for stronger privacy, better performance, etc.) they will be adopted by the platform * and then exposed here. Cipher suites that are not available on either Android (through API level - * 20) or Java (through JDK 8) are omitted for brevity. + * 24) or Java (through JDK 9) are omitted for brevity. * - *
See also NativeCrypto.java - * from conscrypt, which lists the cipher suites supported by Android. + *
See Android SSLEngine + * which lists the cipher suites supported by Android. + * + *
See JDK 9 Providers + * which lists the cipher suites supported by Oracle. + * + *
See NativeCrypto.java + * from conscrypt, which lists the cipher suites supported by Conscrypt. */ public final class CipherSuite { /** @@ -385,7 +391,7 @@ public final class CipherSuite { public static final CipherSuite TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 0xcca9); // public static final CipherSuite TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 0xccaa); // public static final CipherSuite TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", 0xccab); - // public static final CipherSuite TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 0xccac); + public static final CipherSuite TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 0xccac); // public static final CipherSuite TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 0xccad); // public static final CipherSuite TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = of("TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", 0xccae); diff --git a/okhttp/src/main/java/okhttp3/ConnectionSpec.java b/okhttp/src/main/java/okhttp3/ConnectionSpec.java index d81a5a5e7..a2f2a627b 100644 --- a/okhttp/src/main/java/okhttp3/ConnectionSpec.java +++ b/okhttp/src/main/java/okhttp3/ConnectionSpec.java @@ -40,6 +40,16 @@ import static okhttp3.internal.Util.nonEmptyIntersection; */ public final class ConnectionSpec { + // Most secure but generally supported list. + private static final CipherSuite[] RESTRICTED_CIPHER_SUITES = new CipherSuite[] { + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + }; + // This is nearly equal to the cipher suites supported in Chrome 51, current as of 2016-05-25. // All of these suites are available on Android 7.0; earlier releases support a subset of these // suites. https://github.com/square/okhttp/issues/1972 @@ -63,6 +73,13 @@ public final class ConnectionSpec { CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA, }; + /** A secure TLS connection assuming a modern client platform and server. */ + public static final ConnectionSpec RESTRICTED_TLS = new Builder(true) + .cipherSuites(RESTRICTED_CIPHER_SUITES) + .tlsVersions(TlsVersion.TLS_1_3, TlsVersion.TLS_1_2) + .supportsTlsExtensions(true) + .build(); + /** A modern TLS connection with extensions like SNI and ALPN available. */ public static final ConnectionSpec MODERN_TLS = new Builder(true) .cipherSuites(APPROVED_CIPHER_SUITES)