summaryrefslogtreecommitdiffstats
path: root/luni/src/main/java/javax/net
Commit message (Collapse)AuthorAgeFilesLines
* Mark deprecated ciphers visuallyKenny Root2015-06-122-146/+162
| | | | | | | | To make it easier to spot non-deprecated ciphers in the sea of deprecated ciphers, try to visually distinguish it with CSS styling. Bug: 21522548 Change-Id: I802024a3c33f0da394163c393ebd45a3d0bf75d0
* Update offered ciphersKenny Root2015-06-042-102/+102
| | | | | | | | Dropped support for non-ephemeral Diffie-Hellman cipher suites, anonymous authentication, some DES cipher suites, and export cipher suites. Bug: 21522548 Change-Id: Ie2048d303890935969cc7c1ac7bc9d93705c7a90
* Replace hyphen with en dashKenny Root2015-06-032-112/+112
| | | | | | | | | | Since this is a number range, the appropriate punctuation is actually en dash. (cherry picked from commit 814e15db27ab930f59c8e6731b901a6c82b8e262) Bug: 21522548 Change-Id: I99fe4c3a45b2df00671af4b6b82b21aa2c265820
* Reflect removal of DSS cipher suites in Javadocs.Alex Klyubin2015-03-122-31/+29
| | | | | | | | | Now that Android 5.1 (API Level 22) is out, Javadocs can mention that DSS TLS/SSL cipher suites were removed after API Level 22. See fef7818155899c092e6741de049fb7601dfcaf73. Bug: 17409664 Change-Id: Ibd9da7d3056358492f25695f4949e460f1c98d48
* Use okhttp's OkHostnameVerifier as the default.Alex Klyubin2014-12-042-203/+10
| | | | | | | | | | | | | | | | Prior to this change, okhttp's OkHostnameVerifier was used by default for HttpsURLConnection instances unless changed via HttpsURLConnection.setDefaultHostnameVerifier. However, HttpsURLConnection.getDefaultHostnameVerifier by default returned a different HostnameVerifier -- DefaultHostnameVerifier from libcore. This CL fixes this discrepancy by getting rid of libcore's DefaultHostnameVerifier and making HttpsURLConnection.getDefaultHostnameVerifier return okhttp's OkHostnameVerifier by default. Bug: 18481199 Change-Id: I2ba83251f6b76b0c6c7fdccb73a10965c60e1ebe
* CTS tests for the platform-default HostnameVerifier.Alex Klyubin2014-11-241-2/+3
| | | | | | | | | | | This repurposes tests for DefaultHostnameVerifier class to test the platform-default HostnameVerifier (as provided by HttpsURLConnection.getDefaultHostnameVerifier()). This is to ensure that its contract remains stable and tested, regardless of which implementation is used by default. Bug: 18481199 Change-Id: Iaaf2f2274f8412eca2544d1e62c2523028914e07
* Adjust tests for removal of DSS TLS/SSL cipher suites.Alex Klyubin2014-11-172-0/+2
| | | | | | | | This is in preparation for migration from OpenSSL to BoringSSL. BoringSSL does not support DSS. Bug: 17409664 Change-Id: I6b2ac5f7c7b9c41416650cdbdce2deed03372f49
* Remove workaround for *.clients.google.com hostname verication.Alex Klyubin2014-11-101-4/+1
| | | | | | | | | | | | | This removes the workaround for TLS/SSL server certificate presented by android.clients.google.com without Server Name Indication (SNI) not matching android.clients.google.com (8576f309825e23add080f2a50345ec1884939c39). This type of service/provider-specific workaround does not belong into the core library. Applications relying on this workaround will now need to use SNI or a custom HostnameVerifier. Bug: 5426333 Change-Id: I4e9b887358eefc73d3cd6a7f6f9a6aacebbfa12e
* am e6a6e935: Add support for TLS_FALLBACK_SCSVKenny Root2014-10-062-0/+10
|\ | | | | | | | | * commit 'e6a6e935e98f426c7000b2bf4086f87101f4441c': Add support for TLS_FALLBACK_SCSV
| * Add support for TLS_FALLBACK_SCSVKenny Root2014-10-062-0/+10
| | | | | | | | | | Bug: 17750026 Change-Id: I8dec89ae59a6f745f63120b11b4f6dbe9b21a139
* | am 3a025d3d: Merge "Enable hostname verification for absolute hostnames."Kenny Root2014-09-301-0/+8
|\ \ | | | | | | | | | | | | * commit '3a025d3db9334bab5e1e80da7c69a5f69cdd2f84': Enable hostname verification for absolute hostnames.
| * \ Merge "Enable hostname verification for absolute hostnames."Kenny Root2014-09-301-0/+8
| |\ \
| | * | Enable hostname verification for absolute hostnames.Alex Klyubin2014-09-171-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes the DefaultHostnameVerifier (the platform default HostnameVerifier) match relative hostname patterns from CN and DNS SubjectAltNames fields of TLS/SSL server certificates against absolute hostnames. Absolute hostname patterns will still never match relative hostnames because it is not known to what absolute name a relative name was resolved by DNS. For example, if hostname is "www.android.com." and server certificate is for "www.android.com", hostname verification will now pass. Whereas, if hostname is "www.android.com" and server certificate is for "www.android.com.", hostname verification will still fail. All of this is needed because server certificates do not normally contain absolute hostnames or hostname patterns. At the same time, connections via absolute hostnames should be supported and even preferred in most cases, to avoid DNS search suffixes being added. Bug: 17482685 Change-Id: I3f2006fa1110004b18ce627675334d2a54805c7a
* | | | am 76d38635: Merge "Reject wildcard certs for single-label domain names."Kenny Root2014-09-301-0/+27
|\ \ \ \ | |/ / / | | | / | |_|/ |/| | * commit '76d38635d9eb6b03251913a993f038da1a3759bc': Reject wildcard certs for single-label domain names.
| * | Reject wildcard certs for single-label domain names.Alex Klyubin2014-09-241-0/+27
| |/ | | | | | | | | | | | | | | | | Rejecting wildcard certs for two- (e.g., *.com) or three-label (e.g., *.co.uk) domain name patterns requires having a frequently updated Prefix Suffix List. Bug: 17552202 Change-Id: Iecd1dc8e22a51f4d779821094c5f55b310171a74
| * Merge "SSLSocketFactory: don't reload the default if class name is same"Kenny Root2014-07-241-20/+30
| |\
| | * SSLSocketFactory: don't reload the default if class name is sameKenny Root2014-07-231-20/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't bother to reload the default SocketFactory if the requested classname didn't change since the last time. Also make the warning when classloading fails more terse. Most of the time the ClassLoader is wrong, so giving them a hint via ClassLoader#toString is sufficient. Bug: 16468683 Change-Id: I36844e942ccadda993c9f5a1523b2a66280903f3
* | | Reinstate the workaround for android.clients.google.com.Alex Klyubin2014-07-311-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | Apps still depend on this because the platform cannot guarantee that SNI is used. Bug: 5426333 Bug: 16635883 Change-Id: I4fd2090c681e814d7caeb1f94aa3604bc2ddd77c
* | | am 98701d71: Merge "Add a way to get all values of an attribute of DN." into ↵Alex Klyubin2014-07-251-0/+70
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | lmp-dev * commit '98701d71d629b425cb03423708130b384bc88bbe': Add a way to get all values of an attribute of DN.
| * \ \ Merge "Add a way to get all values of an attribute of DN." into lmp-devAlex Klyubin2014-07-241-0/+70
| |\ \ \
| | * | | Add a way to get all values of an attribute of DN.Alex Klyubin2014-07-241-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is needed to switch Apache HTTP hostname verification from its own Distinguished Name (DN) parsing code to this library's DistinguishedNameParser. Bug: 16510257 Change-Id: Iedd27cec162167dad11a4fe477d4eaa3eba004b7
* | | | | am fa7f9bad: SSLSocketFactory: don\'t reload the default if class name is sameKenny Root2014-07-251-20/+30
|\ \ \ \ \ | |/ / / / | | | / / | |_|/ / |/| | | * commit 'fa7f9bad0ae25224a366828c538bd1f0c179b56b': SSLSocketFactory: don't reload the default if class name is same
| * | | SSLSocketFactory: don't reload the default if class name is sameKenny Root2014-07-251-20/+30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't bother to reload the default SocketFactory if the requested classname didn't change since the last time. Also make the warning when classloading fails more terse. Most of the time the ClassLoader is wrong, so giving them a hint via ClassLoader#toString is sufficient. (cherry picked from commit 3885890273828ed02caa5de671341faca81a4e89) Bug: 16468683 Change-Id: I36844e942ccadda993c9f5a1523b2a66280903f3
| * | TLS-PSK cipher suites enabled when PSKKeyManager is provided.Alex Klyubin2014-07-152-8/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This documents and tests that TLS-PSK cipher suites are enabled if a PSKKeyManager is provided to SSLContext during its initialization. Bug: 15073623 (cherry picked from commit b5730a183c0ef94946bb04222f6219f83adef8f5) Change-Id: Idb84b985301b575f4989f2c2a673b64e4e4930ea
| * | reconcile aosp (510a147e8b463fc2678aed6ad4f8095cc891eea8) after branching. ↵Ed Heyl2014-07-142-16/+16
| | | | | | | | | | | | | | | | | | Please do not merge. Change-Id: I11aabb0a603a77d86697b600fe4379817076af7f
| * | reconcile aosp (86eae8dd1e7405394f0e9efe1252575ef9a9674c) after branching. ↵Ed Heyl2014-07-142-0/+18
| | | | | | | | | | | | | | | | | | Please do not merge. Change-Id: Iae444b6b2840916ef9a4d0962a55a74f650bd5a5
| * | RemoveBrian Carlstrom2014-07-074-161/+0
| | | | | | | | | | | | Change-Id: I143d0b26b116e75892223e74b6c22b6c8db05466
| * | am e8a95806: @hide.Elliott Hughes2014-06-164-0/+5
| |\ \ | | | | | | | | | | | | | | | | * commit 'e8a958066d95a4e15a9834e8b9067d106efd9b53': @hide.
| | * | @hide.Elliott Hughes2014-06-164-0/+5
| | | | | | | | | | | | Change-Id: Ieacf34a7b850910e70ae54f738608509e2c39e2e
| * | | am c0a8f479: am 9adf681e: am 4352ab40: Merge "Document and assert support ↵Alex Klyubin2014-05-292-0/+60
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | for TLS-PSK cipher suites." * commit 'c0a8f479a47de31427211ea7952b3b92c0c650c2': Document and assert support for TLS-PSK cipher suites.
| * \ \ \ am a8a3743a: am daa5c14e: am b106b5f3: Merge "Update SSLEngine Javadoc to ↵Alex Klyubin2014-05-281-53/+358
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | reflect recent changes." * commit 'a8a3743a541db271b25e25f179e105a48397c129': Update SSLEngine Javadoc to reflect recent changes.
| * \ \ \ \ am 8efbeb67: am 0509b224: am cbc04230: Merge "Fix a sorting bug in SSLSocket ↵Alex Klyubin2014-05-231-4/+4
| |\ \ \ \ \ | | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | javadoc." * commit '8efbeb67cec988289eb1eb2dd5a46154b3ef3a52': Fix a sorting bug in SSLSocket javadoc.
| * | | | | Unhide new SSL APIsKenny Root2014-05-064-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | Change-Id: Iac7db4586372a9b912e5c94fb2ab88c6bf305c35
* | | | | | Remove workaround for *.clients.google.com.Alex Klyubin2014-07-231-4/+1
| |_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes the workaround for broken TLS/SSL server certificates that were being presented by android.clients.google.com in early 2012 (8576f309825e23add080f2a50345ec1884939c39). The server is presenting better certificates these days and the workaround is no longer needed. Bug: 5426333 Change-Id: I4e7be7bcf522f2d210a596aa03b86a19884e075a
* | | | | TLS-PSK cipher suites enabled when PSKKeyManager is provided.Alex Klyubin2014-07-142-8/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This documents and tests that TLS-PSK cipher suites are enabled if a PSKKeyManager is provided to SSLContext during its initialization. Bug: 15073623 Change-Id: I8e2bc3e7a1ea8a986e468973b6bad19dc6b7bc3c
* | | | | Merge "TLS-PSK cipher suites should appear in API Level 21."Alex Klyubin2014-07-112-16/+16
|\ \ \ \ \
| * | | | | TLS-PSK cipher suites should appear in API Level 21.Alex Klyubin2014-07-082-16/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also fixes a typo in two TLS-PSK cipher suite names. Bug: 15073623 Change-Id: I92d289c2b91862529faf6e06f2eb9b0a21d42b52
* | | | | | Merge "Invalidate cache of default SocketFactory"Kenny Root2014-07-102-0/+18
|\ \ \ \ \ \ | |/ / / / / |/| | | | |
| * | | | | Invalidate cache of default SocketFactoryKenny Root2014-06-272-0/+18
| | |_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the default SocketFactory is set once and never invalidated. Use the Services cache version number to know when to invalidate our cache. This increases the time to get the default implementation from 63ns to 97ns on a Nexus 7 (2013) aka deb. Change-Id: I5d46f02fccaa25e5bcea69d5ca0e4924290cf0e1
* | | | | RemoveBrian Carlstrom2014-07-074-161/+0
|/ / / / | | | | | | | | | | | | | | | | | | | | (cherry picked from commit 36214feb86a0963b23f34c8c63584252bd757e19) Change-Id: I96d5109c01e39255b9970f7a515ddd3575a50e56
* | | | Merge "Document and assert support for TLS-PSK cipher suites."Alex Klyubin2014-05-292-0/+60
|\ \ \ \ | |_|_|/ |/| | |
| * | | Document and assert support for TLS-PSK cipher suites.Alex Klyubin2014-05-272-0/+60
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | This CL updates the Javadoc of SSLSocket and SSLEngine to list the now supported TLS-PSK cipher suites. It also adds tests to assert that these cipher suites are actually supported by SSLSocket and SSLEngine. Bug: 15073623 Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
* | | Merge "Update SSLEngine Javadoc to reflect recent changes."Alex Klyubin2014-05-281-53/+358
|\ \ \ | |/ / |/| |
| * | Update SSLEngine Javadoc to reflect recent changes.Alex Klyubin2014-05-231-53/+358
| |/ | | | | | | | | | | | | SSLEngine is now backed by OpenSSL and thus supports the same cipher suites and protocols as SSLSocket. Change-Id: I842d6806afa5f9123dae3900c8ddad537d76048a
* | Fix a sorting bug in SSLSocket javadoc.Alex Klyubin2014-05-231-4/+4
|/ | | | Change-Id: I1d2eaf44191e468713e9a8ee888017a6b0f37e25
* SSLEngineResult: better exception messagesKenny Root2014-05-051-4/+4
| | | | | | | | Bring these exception messages more in line with what the rest of libcore uses. Also print out the value that caused an exception to be thrown to aid in debugging. Change-Id: Ia2244592781091da9c3239c5f61946f6fb806204
* Improve documentation and tests of SSLContext.init.Alex Klyubin2014-03-271-6/+23
| | | | | | | | | | | | | | SSLContext.init treats null arrays of KeyManager/TrustManager different from non-null arrays. In the case of null arrays, SSLContext.init finds the highest priority implementation of KeyManagerFactory/TrustManagerFactory and then obtains the required types of KeyManager/TrustManager from these factories. In the case of non-null arrays, SSLContext.init obtains each desired type of KeyManager/TrustManager from the provided arrays only. Bug: 13563574 Bug: 13563675 Change-Id: I52adc5e7143d4f050be0b22b3b464c10bb97d102
* Add X509ExtendedTrustManagerKenny Root2014-03-254-6/+166
| | | | | | | | | | | | | | | This adds the X509ExtendedTrustManager class and all its ancillary methods that allow it to be used. This allows the endpointVerificationAlgorithm setting to be enabled on SSLSocket to check that the cerificate given for the endpoint during the handshake matched the expected hostname. Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there is a new call added to SSLSocket called getHandshakeSession which does not force the handshake to take place. Bug: 13103812 Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
* Disable MD5 cipher suites in SSLSocket and SSLEngine.Alex Klyubin2013-12-191-2/+2
| | | | | | | | | | | Although HMAC-MD5 is not yet broken, the foundations are shaky -- see http://tools.ietf.org/html/rfc6151. Scans show that disabling these TLS/SSL cipher suites currently causes handshake issues with 0.4% of the ecosystem. Bug: 11220570 Change-Id: I1970d2ecbdf3c0d26e45d439047b1d3884ade2ec
* Disable 3DES cipher suites in SSLSocket.Alex Klyubin2013-12-181-7/+7
| | | | | | | | | | | The effective key length for 3DES_EDE bulk encryption algorithm is only 112 bits. We're now aiming for 128 and higher. Scans show that removing these cipher suites from the default list causes handshake issues only with 0.15% of the ecosystem. Bug: 11220570 Change-Id: Ie01ebe8134d08a36b276295b804540157963be8f
generated by cgit v1.1 at 2025-09-13 21:30:24 +0000