feat: configure supported min TLS versions (WPB-1810) (#2193)

* fix: configure supported tls min versions * fix: configure supported tls min versions * fix: configure supported tls min versions * fix: configure supported tls min versions * Empty-Commitclear
wireapp · Nov 9, 2023 · a7c5389 · a7c5389
1 parent aa05177
commit a7c5389
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt b/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt
@@ -16,6 +16,8 @@
  * along with this program. If not, see http://www.gnu.org/licenses/.
  */
 
+@file:Suppress("MatchingDeclarationName")
+
 package com.wire.kalium.network
 
 import com.wire.kalium.network.api.base.model.ProxyCredentialsDTO
@@ -25,7 +27,9 @@ import com.wire.kalium.network.tools.isProxyRequired
 import io.ktor.client.engine.HttpClientEngine
 import io.ktor.client.engine.okhttp.OkHttp
 import okhttp3.CertificatePinner
+import okhttp3.ConnectionSpec
 import okhttp3.OkHttpClient
+import okhttp3.TlsVersion
 import java.net.Authenticator
 import java.net.InetSocketAddress
 import java.net.PasswordAuthentication
@@ -37,7 +41,7 @@ import javax.net.ssl.SSLContext
 import javax.net.ssl.TrustManager
 import javax.net.ssl.X509TrustManager
 
-private object OkHttpSingleton {
+internal object OkHttpSingleton {
     private val sharedClient = OkHttpClient.Builder().apply {
 
         // OkHttp doesn't support configuring ping intervals dynamically,
@@ -94,6 +98,8 @@ actual fun defaultHttpEngine(
             proxy(proxy)
         }
 
+        connectionSpecs(supportedConnectionSpecs())
+
     }.also {
         preconfigured = it
         webSocketFactory = KaliumWebSocketFactory(it)
@@ -115,3 +121,11 @@ private fun OkHttpClient.Builder.ignoreAllSSLErrors() {
     sslSocketFactory(insecureSocketFactory, naiveTrustManager)
     hostnameVerifier { _, _ -> true }
 }
+
+private fun supportedConnectionSpecs(): List<ConnectionSpec> {
+    val wireSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
+        .tlsVersions(TlsVersion.TLS_1_2)
+        .build()
+
+    return listOf(wireSpec, ConnectionSpec.CLEARTEXT)
+}
diff --git a/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt b/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt
@@ -0,0 +1,41 @@
+/*
+ * Wire
+ * Copyright (C) 2023 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.kalium
+
+import com.wire.kalium.network.OkHttpSingleton
+import okhttp3.ConnectionSpec
+import okhttp3.TlsVersion
+import kotlin.test.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertTrue
+
+class HttpClientConnectionSpecsTest {
+
+    @Test
+    fun givenTheHttpClientIsCreated_ThenEnsureOnlySupportedSpecsArePresent() {
+        val connectionSpecs = OkHttpSingleton.createNew {}.connectionSpecs
+        with(connectionSpecs[0]) {
+            tlsVersions?.let {
+                assertTrue(it.contains(TlsVersion.TLS_1_2) && it.contains(TlsVersion.TLS_1_3))
+                assertTrue(!it.contains(TlsVersion.TLS_1_1) && !it.contains(TlsVersion.TLS_1_0) && !it.contains(TlsVersion.SSL_3_0))
+            }
+        }
+
+        assertEquals(connectionSpecs[1], ConnectionSpec.CLEARTEXT)
+    }
+}