Support for TLS Extensions enabled SSLSockets with fallback to vanila SSL
See also b/1569612
Summary:
- OpenSSlSocket support for SNI, session tickets, compression
- URLConnection mimics Chrome behavior of trying connection with these enabled,
falling back to SSL w/o encryption on failure
Details:
libcore
URLConnection https retry
Change HttpConnection.getSecureSocket to enable non-standard features on first
connection attempt. On second attempt, we back off to SSLv3 from
TLSv1, mimicking Chrome's behavior.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Change HttpsEngine.connect to implement SSL reconnect
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
OpenSSL SSLSocket implementation
OpenSSLSocketImpl and OpenSSLServerSocketImpl now have an array of
enabled compression methods interface and implementation to
parallel that of procotols and ciphersuites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
OpenSSLSessionImpl now has a cache of the native
compressionMethod. Since null is allowed, we default the cache to
a different sentinel value, the empty string, to determine if we
have to make the JNI call to fill in the value. Also replaced
"gives" javadoc working with "returns".
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
OpenSSLSocketImpl session caching now needs to skip cached
sessions with mismatched compression requirements. Again the fact
that null is an allowed special case makes it slightly different
than the existing protocol and cipher suite code path.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
OpenSSLSocketImpl.startHandshake now uses NativeCrypto to support
our non-standard extensions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
NativeCrypto changes
- Added declaration of SSL options for tickets and compression.
- Added general "compression methods" interface
paralleling "cipher suites" and "protocols" interfaces. Primary
difference is that a empty array, signifying no compression
desired, is allowed. Alternative would be to require a "NULL"
compression method to be specified.
- Added SSL_set_tlsext_host_name to set SNI (Server Name Indication) value
- Added SSL_get_servername to read SNI (Server Name Indication) value
- Added SSL_SESSION_compress_meth read negotiated compression method
- SSL_new makes sure to default compression to off for compatibility
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Testing
Added URLConnectionTest.testConnectViaHttpsWithSSLFallback to make
sure we properly retry an https connection if the server
terminates unexpectedly. Fixed up
URLConnectionTest.testHttpsWithCustomTrustManager with new
expected certificate chain. Fixed a few mistaken
TestSSLContext.serverContext uses to clientContext
luni/src/test/java/java/net/URLConnectionTest.java
Added test_SSL_set_tlsext_host_name, test_SSL_get_servername,
test_SSL_SESSION_compress_meth. Added a number of missing fail()
calls in expected exception cases which caught one test with
mistaken expectations. Removed some unnecessary scopes. Fixed some
badly scoped catch blocks.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Changed MockWebServer to support a new MockResponse propery of
disconnectAtStart, which immediately terminates the connection
support/src/test/java/tests/http/MockResponse.java
support/src/test/java/tests/http/MockWebServer.java
external/openssl
Restore -ZLIB to OpenSSL build. Note that NativeCrypto.SSL_new
disables compression by for default SSLSocket for compatibility.
android-config.mk
Force clean build with new CFLAGS
CleanSpec.mk
Change-Id: Ic8158c7e7ffafdb70f8897b04a861849cb9ac1d7
2 files changed
