am cc33cfd7: am 2fa2cab5: Merge "Tidy up HttpsHandler / HttpHandler and change defaults"

* commit 'cc33cfd7afe21458edad4782188770f20c770b57':
  Tidy up HttpsHandler / HttpHandler and change defaults

2 files changed, 63 insertions, 3 deletions

diff --git a/android/main/java/com/squareup/okhttp/HttpHandler.java b/android/main/java/com/squareup/okhttp/HttpHandler.java
index a94fe8f..e843faf 100644
--- a/android/main/java/com/squareup/okhttp/HttpHandler.java
+++ b/android/main/java/com/squareup/okhttp/HttpHandler.java
@@ -23,9 +23,14 @@ import java.net.ResponseCache;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
+import java.util.Collections;
+import java.util.List;
 
 public class HttpHandler extends URLStreamHandler {
 
+    private final static List<ConnectionSpec> CLEARTEXT_ONLY =
+        Collections.singletonList(ConnectionSpec.CLEARTEXT);
+
     private final ConfigAwareConnectionPool configAwareConnectionPool =
             ConfigAwareConnectionPool.getInstance();
 
@@ -46,6 +51,9 @@ public class HttpHandler extends URLStreamHandler {
 
     protected OkUrlFactory newOkUrlFactory(Proxy proxy) {
         OkUrlFactory okUrlFactory = createHttpOkUrlFactory(proxy);
+        // For HttpURLConnections created through java.net.URL Android uses a connection pool that
+        // is aware when the default network changes so that pooled connections are not re-used when
+        // the default network changes.
         okUrlFactory.client().setConnectionPool(configAwareConnectionPool.get());
         return okUrlFactory;
     }
@@ -54,14 +62,21 @@ public class HttpHandler extends URLStreamHandler {
      * Creates an OkHttpClient suitable for creating {@link java.net.HttpURLConnection} instances on
      * Android.
      */
+    // Visible for android.net.Network.
     public static OkUrlFactory createHttpOkUrlFactory(Proxy proxy) {
         OkHttpClient client = new OkHttpClient();
+
+        // Do not permit http -> https and https -> http redirects.
         client.setFollowSslRedirects(false);
+        client.setConnectionSpecs(CLEARTEXT_ONLY);
+
+        // When we do not set the Proxy explicitly OkHttp picks up a ProxySelector using
+        // ProxySelector.getDefault().
         if (proxy != null) {
             client.setProxy(proxy);
         }
 
-        // Explicitly set the response cache.
+        // OkHttp requires that we explicitly set the response cache.
         OkUrlFactory okUrlFactory = new OkUrlFactory(client);
         ResponseCache responseCache = ResponseCache.getDefault();
         if (responseCache != null) {
diff --git a/android/main/java/com/squareup/okhttp/HttpsHandler.java b/android/main/java/com/squareup/okhttp/HttpsHandler.java
index cfd7aba..149d860 100644
--- a/android/main/java/com/squareup/okhttp/HttpsHandler.java
+++ b/android/main/java/com/squareup/okhttp/HttpsHandler.java
@@ -24,7 +24,43 @@ import java.util.List;
 import javax.net.ssl.HttpsURLConnection;
 
 public final class HttpsHandler extends HttpHandler {
-    private static final List<Protocol> ENABLED_PROTOCOLS = Arrays.asList(Protocol.HTTP_1_1);
+
+    /**
+     * The initial connection spec to use when connecting to an https:// server, and the prototype
+     * for the others below. Note that Android does not set the cipher suites to use so the socket's
+     * defaults enabled cipher suites will be used instead. When the SSLSocketFactory is provided by
+     * the app or GMS core we will not override the enabled ciphers set on the sockets it produces
+     * with a list hardcoded at release time. This is deliberate.
+     * For the TLS versions we <em>will</em> select a known subset from the set of enabled TLS
+     * versions on the socket.
+     */
+    private static final ConnectionSpec TLS_1_2_AND_BELOW = new ConnectionSpec.Builder(true)
+        .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+        .supportsTlsExtensions(true)
+        .build();
+
+    private static final ConnectionSpec TLS_1_1_AND_BELOW =
+        new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
+            .tlsVersions(TlsVersion.TLS_1_1, TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+            .supportsTlsExtensions(true)
+            .build();
+
+    private static final ConnectionSpec TLS_1_0_AND_BELOW =
+        new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
+            .tlsVersions(TlsVersion.TLS_1_0, TlsVersion.SSL_3_0)
+            .build();
+
+    private static final ConnectionSpec SSL_3_0 =
+        new ConnectionSpec.Builder(TLS_1_2_AND_BELOW)
+            .tlsVersions(TlsVersion.SSL_3_0)
+            .build();
+
+    /** Try up to 4 times to negotiate a connection with each server. */
+    private static final List<ConnectionSpec> SECURE_CONNECTION_SPECS =
+        Arrays.asList(TLS_1_2_AND_BELOW, TLS_1_1_AND_BELOW, TLS_1_0_AND_BELOW, SSL_3_0);
+
+    private static final List<Protocol> HTTP_1_1_ONLY = Arrays.asList(Protocol.HTTP_1_1);
+
     private final ConfigAwareConnectionPool configAwareConnectionPool =
             ConfigAwareConnectionPool.getInstance();
 
@@ -35,6 +71,9 @@ public final class HttpsHandler extends HttpHandler {
     @Override
     protected OkUrlFactory newOkUrlFactory(Proxy proxy) {
         OkUrlFactory okUrlFactory = createHttpsOkUrlFactory(proxy);
+        // For HttpsURLConnections created through java.net.URL Android uses a connection pool that
+        // is aware when the default network changes so that pooled connections are not re-used when
+        // the default network changes.
         okUrlFactory.client().setConnectionPool(configAwareConnectionPool.get());
         return okUrlFactory;
     }
@@ -43,12 +82,18 @@ public final class HttpsHandler extends HttpHandler {
      * Creates an OkHttpClient suitable for creating {@link HttpsURLConnection} instances on
      * Android.
      */
+    // Visible for android.net.Network.
     public static OkUrlFactory createHttpsOkUrlFactory(Proxy proxy) {
         // The HTTPS OkHttpClient is an HTTP OkHttpClient with extra configuration.
         OkUrlFactory okUrlFactory = HttpHandler.createHttpOkUrlFactory(proxy);
 
         OkHttpClient okHttpClient = okUrlFactory.client();
-        okHttpClient.setProtocols(ENABLED_PROTOCOLS);
+
+        // Only enable HTTP/1.1 (implies HTTP/1.0). Disable SPDY / HTTP/2.0.
+        okHttpClient.setProtocols(HTTP_1_1_ONLY);
+
+        // Use Android's preferred fallback approach and cipher suite selection.
+        okHttpClient.setConnectionSpecs(SECURE_CONNECTION_SPECS);
 
         // OkHttp does not automatically honor the system-wide HostnameVerifier set with
         // HttpsURLConnection.setDefaultHostnameVerifier().