Bug 1537701 - Update SSL ciphers and protocols for Android Q; r=mt
authorPetru Lingurar <petru.lingurar@softvision.ro>
Tue, 14 May 2019 13:09:22 +0000
changeset 532735 6d6a45ae267a3cc52a1b6d7db4ec224e1d313f93
parent 532734 b8c66ae8e149ff7dd0be76a815ffb43060ba482a
child 532736 cc575aa34c366538f85e98e878e8a062e3cfbb33
push id11272
push userapavel@mozilla.com
push dateThu, 16 May 2019 15:28:22 +0000
treeherdermozilla-beta@2265bfc5920d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmt
bugs1537701
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1537701 - Update SSL ciphers and protocols for Android Q; r=mt Added the new Android API 29+ ciphers https://developer.android.com/reference/javax/net/ssl/SSLEngine#cipher-suites and also added TLSv1.3 https://developer.android.com/reference/javax/net/ssl/SSLEngine#protocols Will prefer ChaCha20-Poly1305 which is fastest, thoroughly vetted and battle tested - https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/ Beside the new additions will still keep support for previous TLSv1.2 and already used ciphers still compatible with Android Q while favoring the 128 versions. Differential Revision: https://phabricator.services.mozilla.com/D30646
mobile/android/base/AppConstants.java.in
mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java
--- a/mobile/android/base/AppConstants.java.in
+++ b/mobile/android/base/AppConstants.java.in
@@ -2,16 +2,17 @@
 /* -*- Mode: Java; c-basic-offset: 4; tab-width: 20; indent-tabs-mode: nil; -*-
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 package org.mozilla.gecko;
 
 import android.os.Build;
+import android.support.v4.os.BuildCompat;
 
 /**
  * A collection of constants that pertain to the build and runtime state of the
  * application. Typically these are sourced from build-time definitions (see
  * Makefile.in). This is a Java-side substitute for nsIXULAppInfo, amongst
  * other things.
  *
  * See also SysInfo.java, which includes some of the values available from
@@ -51,16 +52,18 @@ public class AppConstants {
         public static final boolean feature16Plus = MIN_SDK_VERSION >= 16 || (MAX_SDK_VERSION >= 16 && Build.VERSION.SDK_INT >= 16);
         public static final boolean feature17Plus = MIN_SDK_VERSION >= 17 || (MAX_SDK_VERSION >= 17 && Build.VERSION.SDK_INT >= 17);
         public static final boolean feature19Plus = MIN_SDK_VERSION >= 19 || (MAX_SDK_VERSION >= 19 && Build.VERSION.SDK_INT >= 19);
         public static final boolean feature20Plus = MIN_SDK_VERSION >= 20 || (MAX_SDK_VERSION >= 20 && Build.VERSION.SDK_INT >= 20);
         public static final boolean feature21Plus = MIN_SDK_VERSION >= 21 || (MAX_SDK_VERSION >= 21 && Build.VERSION.SDK_INT >= 21);
         public static final boolean feature23Plus = MIN_SDK_VERSION >= 23 || (MAX_SDK_VERSION >= 23 && Build.VERSION.SDK_INT >= 23);
         public static final boolean feature24Plus = MIN_SDK_VERSION >= 24 || (MAX_SDK_VERSION >= 24 && Build.VERSION.SDK_INT >= 24);
         public static final boolean feature26Plus = MIN_SDK_VERSION >= 26 || (MAX_SDK_VERSION >= 26 && Build.VERSION.SDK_INT >= 26);
+        // Given that Android Q is not yet released it shares API level 28 with Android P
+        public static final boolean feature29Plus = BuildCompat.isAtLeastQ();
 
         /*
          * If our MIN_SDK_VERSION is 14 or higher, we must be an ICS device.
          * If our MAX_SDK_VERSION is lower than ICS, we must not be an ICS device.
          * Otherwise, we need a range check.
          */
         public static final boolean preMarshmallow = MAX_SDK_VERSION < 23 || (MIN_SDK_VERSION < 23 && Build.VERSION.SDK_INT < 23);
         public static final boolean preLollipopMR1 = MAX_SDK_VERSION < 22 || (MIN_SDK_VERSION < 22 && Build.VERSION.SDK_INT < 22);
--- a/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java
+++ b/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java
@@ -37,19 +37,31 @@ public class GlobalConstants {
    *
    * ELB cipher suites:
    * <http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html>
    */
   public static final String[] DEFAULT_CIPHER_SUITES;
   public static final String[] DEFAULT_PROTOCOLS;
 
   static {
-    // Prioritize 128 over 256 as a tradeoff between device CPU/battery and the minor
-    // increase in strength.
-    if (Versions.feature26Plus) {
+    // ChaCha20-Poly1305 seems fastest on mobile.
+    // Otherwise prioritize 128 over 256 as a tradeoff between device CPU/battery
+    // and the minor increase in strength.
+    if (Versions.feature29Plus) {
+      DEFAULT_CIPHER_SUITES = new String[]
+          {
+          "TLS_CHACHA20_POLY1305_SHA256",               // 29+
+          "TLS_AES_128_GCM_SHA256",                     // 29+
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",      // 20+
+          "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",         // 20+
+          "TLS_AES_256_GCM_SHA384",                     // 29+
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",      // 20+
+          "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",         // 11+
+          };
+    } else if (Versions.feature26Plus) {
       DEFAULT_CIPHER_SUITES = new String[]
           {
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",   // 20+
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",     // 20+
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",     // 20+
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",        // 11+
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",     // 20+
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",     // 20+
@@ -81,24 +93,24 @@ public class GlobalConstants {
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",        // 11+
 
            // For Sync 1.1.
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",  // 9+
            "TLS_RSA_WITH_AES_128_CBC_SHA",      // 9+
           };
     }
 
-    if (Versions.feature16Plus) {
+    if (Versions.feature29Plus) {
+      DEFAULT_PROTOCOLS = new String[]
+          {
+          "TLSv1.3",
+          "TLSv1.2",
+          };
+    } else {
       DEFAULT_PROTOCOLS = new String[]
           {
            "TLSv1.2",
            "TLSv1.1",
            "TLSv1",             // We would like to remove this, and will do so when we can.
           };
-    } else {
-      // Fall back to TLSv1 if there's nothing better.
-      DEFAULT_PROTOCOLS = new String[]
-          {
-           "TLSv1",
-          };
     }
   }
 }