Commit 2ab42198 authored by Neil Fuller's avatar Neil Fuller
Browse files

Tidy up HttpsHandler / HttpHandler and change defaults

OkHttp was recently upgraded in AOSP. This is a tidy
up change to correct some defaults and improve documentation
of Android settings.

Besides better docs this change mostly focuses on
ConnectionSpecs.

OkHttp now has a set of default ConnectionSpecs. ConnectionSpecs
control TLS version and cipher suite selection during connection
negotiations.

The defaults are not what we want on Android:

Historically, it looks like we don't want HttpsURLConnection
being redirected to http:// addresses, and HttpURLConnections
being redirected to https://. This means that we can
exclude any TLS-based ConnectionSpecs from HttpHandler, and
cleartext-based ConnectionSpecs from HttpsHandler making that
choice even more explicit.

TLS versions:

The upgrade effectively had a side-effect of disabling SSLv3
in all cases. On Android we disable SSLv3 in the default socket
factory (getEnabledProtocols()), but it is still supported on
the socket (getSupportedProtocols()).

In the L release, OkHttp would use the default TLS versions
for the initial connection and SSLv3 only for the fallback
(i.e. with the default socket factory it would turn it back on
for the fallback connection).

This change allows for applications that may need to use SSLv3.
SSLv3 will only be used if there is an installed socket factory
that enables it by default.

There should be a future change coming to upstream that will
further alter this behavior because OkHttp will still make
multiple attempts to connect when it knows it won't work.

Ciphers:

OkHttp is opinionated about the cipher suites to enable
on a socket. On Android, we want the SocketFactory to determine
the set of acceptable ciphers and we should just use the default
enabled set (because the default set may be better than the
set known when the device shipped, e.g. the socket factory may
come from GMS or installed by an app and therefore provide better
ciphers or disable ones that have found to be broken).

This change fixes two failing tests in
libcore.java.net.URLConnectionTest due to the TLS version
changes.

Change-Id: Iefc77746695b307a1222faf336d9d6452e974810
parent e78f117b
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment