SSL cipher configuration via SSLEngine
Created by: gdaniels
When trying to use AndroidAsync to talk to a secure websocket server, I ran into an issue where the client on Android 4.4 (both on my phone and an emulator) was advertising a set of only 15 cipher suites - all of which were too insecure for the server. After some poking around with SSLContext/SSLEngine I saw there were actually 27 supported cipher suites, many of which were much more acceptable, but for some reason the default set kept reverting to the 15 I originally saw.
I knew about SSLSocket.setEnabledCipherSuites()
, but that didn't help with NIO libraries like AndroidAsync. Tried various combinations of SSLParameters.setCipherSuites()
(with parameters from sslContext.getDefaultSSLParameters()
and sslContext.getSupportedSSLParameters()
) but no dice. What DID eventually work was trying another websockets library which let me pass in a custom SSLEngine (setEnabledCipherSuites()
did the trick). But I like AndroidAsync's API and wanted to get it working - and couldn't see a way to touch the internal SSLEngine.
So I forked AndroidAsync, and implemented a quick way to get at the SSLEngine during initialization. To wit:
public interface AsyncSSLEngineConfigurator {
public void configureEngine(SSLEngine engine);
}
I added one of these to AsyncSSLSocketMiddleware as a settable field, and that passes it down into the constructor of AsyncSSLSocketWrapper. If it's there, we pass off the created SSLEngine to the configurator just after it's built, so that extension code can control things like the enabled cipher suites. This works like a charm.
Does this seem like a reasonable way to get this done? Or is there some other way to affect the enabled cipher suites that doesn't require access to the SSLEngine? If this does seem like a sane idea, I'll PR it.
Thanks!