chore: configure and allow cipher suites (WPB-5448)

network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt

@@ -27,6 +27,9 @@ import com.wire.kalium.network.tools.isProxyRequired
 import io.ktor.client.engine.HttpClientEngine
 import io.ktor.client.engine.okhttp.OkHttp
 import okhttp3.CertificatePinner
+import okhttp3.CipherSuite.Companion.TLS_AES_128_GCM_SHA256
+import okhttp3.CipherSuite.Companion.TLS_AES_256_GCM_SHA384
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 import okhttp3.ConnectionSpec
 import okhttp3.OkHttpClient
 import okhttp3.TlsVersion
@@ -51,7 +54,7 @@ internal object OkHttpSingleton {
             .connectTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
             .readTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
             .writeTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
-    }.build()
+    }.connectionSpecs(supportedConnectionSpecs()).build()
 
     fun createNew(block: OkHttpClient.Builder.() -> Unit): OkHttpClient {
         return sharedClient.newBuilder().apply(block).build()
@@ -98,8 +101,6 @@ actual fun defaultHttpEngine(
             proxy(proxy)
         }
 
-        connectionSpecs(supportedConnectionSpecs())
-
     }.also {
         preconfigured = it
         webSocketFactory = KaliumWebSocketFactory(it)
@@ -125,6 +126,11 @@ private fun OkHttpClient.Builder.ignoreAllSSLErrors() {
 private fun supportedConnectionSpecs(): List<ConnectionSpec> {
     val wireSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
         .tlsVersions(TlsVersion.TLS_1_2)
+        .cipherSuites(
+            TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+            TLS_AES_128_GCM_SHA256,
+            TLS_AES_256_GCM_SHA384
+        )
         .build()
 
     return listOf(wireSpec, ConnectionSpec.CLEARTEXT)

network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt

@@ -18,24 +18,81 @@
 package com.wire.kalium
 
 import com.wire.kalium.network.OkHttpSingleton
+import okhttp3.CipherSuite
+import okhttp3.CipherSuite.Companion.TLS_CHACHA20_POLY1305_SHA256
+import okhttp3.CipherSuite.Companion.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+import okhttp3.CipherSuite.Companion.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_3DES_EDE_CBC_SHA
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_CBC_SHA
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_CBC_SHA256
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_128_GCM_SHA256
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_256_CBC_SHA
+import okhttp3.CipherSuite.Companion.TLS_RSA_WITH_AES_256_GCM_SHA384
 import okhttp3.ConnectionSpec
 import okhttp3.TlsVersion
 import kotlin.test.Test
 import kotlin.test.assertEquals
+import kotlin.test.assertFalse
 import kotlin.test.assertTrue
 
 class HttpClientConnectionSpecsTest {
 
     @Test
+    // This test conforms to the following testing standards:
+    // @SF.Channel @TSFI.RESTfulAPI @S0.2 @S0.3 @S3
     fun givenTheHttpClientIsCreated_ThenEnsureOnlySupportedSpecsArePresent() {
         val connectionSpecs = OkHttpSingleton.createNew {}.connectionSpecs
         with(connectionSpecs[0]) {
             tlsVersions?.let {
-                assertTrue(it.contains(TlsVersion.TLS_1_2) && it.contains(TlsVersion.TLS_1_3))
-                assertTrue(!it.contains(TlsVersion.TLS_1_1) && !it.contains(TlsVersion.TLS_1_0) && !it.contains(TlsVersion.SSL_3_0))
+                assertTrue { validTlsVersions.containsAll(it) }
+                assertFalse { notValidTlsVersions.containsAll(it) }
+            }
+
+            cipherSuites?.let {
+                assertTrue { validCipherSuites.containsAll(it) }
+                assertFalse { notValidCipherSuites.containsAll(it) }
             }
         }
 
         assertEquals(connectionSpecs[1], ConnectionSpec.CLEARTEXT)
     }
+
+    private companion object {
+        val validTlsVersions = listOf(TlsVersion.TLS_1_3, TlsVersion.TLS_1_2)
+        val notValidTlsVersions = listOf(TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+
+        val notValidCipherSuites = listOf(
+            TLS_CHACHA20_POLY1305_SHA256,
+            TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+            TLS_RSA_WITH_AES_128_CBC_SHA256,
+            TLS_RSA_WITH_AES_128_CBC_SHA,
+            TLS_RSA_WITH_AES_128_GCM_SHA256,
+            TLS_RSA_WITH_AES_256_CBC_SHA,
+            TLS_RSA_WITH_AES_256_GCM_SHA384,
+            TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+            TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+            TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+            TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+        )
+
+        val validCipherSuites = listOf(
+            CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+            CipherSuite.TLS_AES_128_GCM_SHA256,
+            CipherSuite.TLS_AES_256_GCM_SHA384
+        )
+    }
 }