chore: configure and allow cipher suites (WPB-5448) (#2233)

* chore: configure and allow cipher suites * chore: use restricted tls config from ktor --------- Co-authored-by: Mohamad Jaara <[email protected]>
wireapp · Nov 17, 2023 · 21ae14c · 21ae14c
1 parent 78a0841
commit 21ae14c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 10 deletions.
diff --git a/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt b/network/src/commonJvmAndroid/kotlin/com/wire/kalium/network/HttpEngine.kt
@@ -29,7 +29,6 @@ import io.ktor.client.engine.okhttp.OkHttp
 import okhttp3.CertificatePinner
 import okhttp3.ConnectionSpec
 import okhttp3.OkHttpClient
-import okhttp3.TlsVersion
 import java.net.Authenticator
 import java.net.InetSocketAddress
 import java.net.PasswordAuthentication
@@ -51,7 +50,7 @@ internal object OkHttpSingleton {
             .connectTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
             .readTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
             .writeTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS)
-    }.build()
+    }.connectionSpecs(supportedConnectionSpecs()).build()
 
     fun createNew(block: OkHttpClient.Builder.() -> Unit): OkHttpClient {
         return sharedClient.newBuilder().apply(block).build()
@@ -98,8 +97,6 @@ actual fun defaultHttpEngine(
             proxy(proxy)
         }
 
-        connectionSpecs(supportedConnectionSpecs())
-
     }.also {
         preconfigured = it
         webSocketFactory = KaliumWebSocketFactory(it)
@@ -123,9 +120,6 @@ private fun OkHttpClient.Builder.ignoreAllSSLErrors() {
 }
 
 private fun supportedConnectionSpecs(): List<ConnectionSpec> {
-    val wireSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
-        .tlsVersions(TlsVersion.TLS_1_2)
-        .build()
-
+    val wireSpec = ConnectionSpec.Builder(ConnectionSpec.RESTRICTED_TLS).build()
     return listOf(wireSpec, ConnectionSpec.CLEARTEXT)
 }
diff --git a/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt b/network/src/jvmTest/kotlin/com/wire/kalium/HttpClientConnectionSpecsTest.kt
@@ -18,24 +18,43 @@
 package com.wire.kalium
 
 import com.wire.kalium.network.OkHttpSingleton
+import okhttp3.CipherSuite
 import okhttp3.ConnectionSpec
 import okhttp3.TlsVersion
 import kotlin.test.Test
 import kotlin.test.assertEquals
+import kotlin.test.assertFalse
 import kotlin.test.assertTrue
 
 class HttpClientConnectionSpecsTest {
 
     @Test
+    // This test conforms to the following testing standards:
+    // @SF.Channel @TSFI.RESTfulAPI @S0.2 @S0.3 @S3
     fun givenTheHttpClientIsCreated_ThenEnsureOnlySupportedSpecsArePresent() {
         val connectionSpecs = OkHttpSingleton.createNew {}.connectionSpecs
         with(connectionSpecs[0]) {
             tlsVersions?.let {
-                assertTrue(it.contains(TlsVersion.TLS_1_2) && it.contains(TlsVersion.TLS_1_3))
-                assertTrue(!it.contains(TlsVersion.TLS_1_1) && !it.contains(TlsVersion.TLS_1_0) && !it.contains(TlsVersion.SSL_3_0))
+                assertTrue { validTlsVersions.containsAll(it) }
+                assertFalse { notValidTlsVersions.containsAll(it) }
+            }
+
+            cipherSuites?.let {
+                assertTrue { it.containsAll(validCipherSuites) }
             }
         }
 
         assertEquals(connectionSpecs[1], ConnectionSpec.CLEARTEXT)
     }
+
+    private companion object {
+        val validTlsVersions = listOf(TlsVersion.TLS_1_3, TlsVersion.TLS_1_2)
+        val notValidTlsVersions = listOf(TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+
+        val validCipherSuites = listOf(
+            CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+            CipherSuite.TLS_AES_128_GCM_SHA256,
+            CipherSuite.TLS_AES_256_GCM_SHA384
+        )
+    }
 }