Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for: TLS_RSA_WITH_3DES_EDE_CBC_SHA and other weak ciphers

See original GitHub issue

Hi,

maybe it’s a duplicate question, but I can’t find any solutions for this issue. I must connect to a server wich only supports TLS_RSA_WITH_3DES_EDE_CBC_SHA and sadly I can’t change this.

I read that this cipher suite is disabled by Android by default, but in Google Chrome for example I can connect to this server.

But in my application (API Level 16) i got this stacktrace:

W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:241)

Any suggestions?

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
StefanWegenercommented, Nov 16, 2016

I understand totally that you disable obsolete protocols, but this means means for me, that I must use Version 2.1.0 instead of the current version?

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .tlsVersions(TlsVersion.TLS_1_0)
                .cipherSuites(
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                        CipherSuite.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
                        CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                        CipherSuite.TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                        CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                        CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
                .build();
        client.setConnectionSpecs(Collections.singletonList(spec));

This code doesn’t help me. Or am I wrong?

0reactions
rapidity-acommented, Jan 3, 2020
public class CmCipherSuiteSSLSocketFactory extends SSLSocketFactory {

    private static final String PREFERRED_CIPHER_SUITE = "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
    private final SSLSocketFactory delegate;

    public CmCipherSuiteSSLSocketFactory(SSLSocketFactory delegate) {
        this.delegate = delegate;
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return setupPreferredDefaultCipherSuites(this.delegate);
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return setupPreferredSupportedCipherSuites(this.delegate);
    }

    @Override
    public Socket createSocket(String arg0, int arg1) throws IOException,
            UnknownHostException {
        Socket socket = this.delegate.createSocket(arg0, arg1);
        String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
        ((SSLSocket) socket).setEnabledCipherSuites(cipherSuites);
        return socket;
    }

    @Override
    public Socket createSocket(InetAddress arg0, int arg1) throws IOException {
        Socket socket = this.delegate.createSocket(arg0, arg1);
        String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
        ((SSLSocket) socket).setEnabledCipherSuites(cipherSuites);
        return socket;
    }

    @Override
    public Socket createSocket(Socket arg0, String arg1, int arg2, boolean arg3)
            throws IOException {
        Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
        String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
        ((SSLSocket) socket).setEnabledCipherSuites(cipherSuites);
        return socket;
    }

    @Override
    public Socket createSocket(String arg0, int arg1, InetAddress arg2, int arg3)
            throws IOException, UnknownHostException {
        Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
        String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
        ((SSLSocket) socket).setEnabledCipherSuites(cipherSuites);
        return socket;
    }

    @Override
    public Socket createSocket(InetAddress arg0, int arg1, InetAddress arg2,
                               int arg3) throws IOException {
        Socket socket = this.delegate.createSocket(arg0, arg1, arg2, arg3);
        String[] cipherSuites = setupPreferredDefaultCipherSuites(delegate);
        ((SSLSocket) socket).setEnabledCipherSuites(cipherSuites);
        return socket;
    }

    private static String[] setupPreferredDefaultCipherSuites(SSLSocketFactory sslSocketFactory) {
        String[] defaultCipherSuites = sslSocketFactory.getDefaultCipherSuites();
        ArrayList<String> suitesList = new ArrayList<String>(Arrays.asList(defaultCipherSuites));
        if (!suitesList.contains(PREFERRED_CIPHER_SUITE)) {
            suitesList.add(0, PREFERRED_CIPHER_SUITE);
        }
        return suitesList.toArray(new String[suitesList.size()]);
    }

    private static String[] setupPreferredSupportedCipherSuites(SSLSocketFactory sslSocketFactory) {
        String[] supportedCipherSuites = sslSocketFactory.getSupportedCipherSuites();
        ArrayList<String> suitesList = new ArrayList<String>(Arrays.asList(supportedCipherSuites));
        if (!suitesList.contains(PREFERRED_CIPHER_SUITE)) {
            suitesList.add(0, PREFERRED_CIPHER_SUITE);
        }
        return suitesList.toArray(new String[suitesList.size()]);
    }
}


SSLSocketFactory preferredCipherSuiteSSLSocketFactory = new CmCipherSuiteSSLSocketFactory(sslContext.getSocketFactory());
Read more comments on GitHub >

github_iconTop Results From Across the Web

TLS/SSL Server Supports 3DES Cipher Suite - Rapid7
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what...
Read more >
Managing SSL/TLS Protocols and Cipher Suites for AD FS
Learn how to disable and enable certain TLS/SSL protocols and cipher suites that are used by AD FS.
Read more >
SSL/TLS Weak Cipher Suites Supported - Tenable
The remote host supports the use of SSL/TLS ciphers that offer weak encryption (including RC4 and 3DES encryption).
Read more >
Recommendations for TLS/SSL Cipher Hardening - Acunetix
Below is a list of recommendations for a secure SSL/TLS implementation. ... It is also used by several other services and protocols, ...
Read more >
Disable Weak Ciphers (RC4 & TripleDES) Windows Server ...
This video is following on from the previous one (Disabling SSLv3 and TLS v1.0), which can be found here ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

HttpLoggingInterceptor causes stackoverflow

Next page

java.lang.NullPointerException:BridgeInterceptor.intercept