Bug 1365865 - Update set of default ciphers for API26+ r=nalexander
TLS_DHE_RSA_WITH_AES_128_CBC_SHA is no longer supported in API26+.
MozReview-Commit-ID: AtNf2xZh2Bz
--- a/mobile/android/base/AppConstants.java.in
+++ b/mobile/android/base/AppConstants.java.in
@@ -48,16 +48,17 @@ public class AppConstants {
* is no need to do the runtime check.
*/
public static final boolean feature16Plus = MIN_SDK_VERSION >= 16 || (MAX_SDK_VERSION >= 16 && Build.VERSION.SDK_INT >= 16);
public static final boolean feature17Plus = MIN_SDK_VERSION >= 17 || (MAX_SDK_VERSION >= 17 && Build.VERSION.SDK_INT >= 17);
public static final boolean feature19Plus = MIN_SDK_VERSION >= 19 || (MAX_SDK_VERSION >= 19 && Build.VERSION.SDK_INT >= 19);
public static final boolean feature20Plus = MIN_SDK_VERSION >= 20 || (MAX_SDK_VERSION >= 20 && Build.VERSION.SDK_INT >= 20);
public static final boolean feature21Plus = MIN_SDK_VERSION >= 21 || (MAX_SDK_VERSION >= 21 && Build.VERSION.SDK_INT >= 21);
public static final boolean feature24Plus = MIN_SDK_VERSION >= 24 || (MAX_SDK_VERSION >= 24 && Build.VERSION.SDK_INT >= 24);
+ public static final boolean feature26Plus = MIN_SDK_VERSION >= 26 || (MAX_SDK_VERSION >= 26 && Build.VERSION.SDK_INT >= 26);
/*
* If our MIN_SDK_VERSION is 14 or higher, we must be an ICS device.
* If our MAX_SDK_VERSION is lower than ICS, we must not be an ICS device.
* Otherwise, we need a range check.
*/
public static final boolean preMarshmallow = MAX_SDK_VERSION < 23 || (MIN_SDK_VERSION < 23 && Build.VERSION.SDK_INT < 23);
public static final boolean preLollipop = MAX_SDK_VERSION < 21 || (MIN_SDK_VERSION < 21 && Build.VERSION.SDK_INT < 21);
--- a/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java
+++ b/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java
@@ -39,29 +39,43 @@ public class GlobalConstants {
* <http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html>
*/
public static final String[] DEFAULT_CIPHER_SUITES;
public static final String[] DEFAULT_PROTOCOLS;
static {
// Prioritize 128 over 256 as a tradeoff between device CPU/battery and the minor
// increase in strength.
- if (Versions.feature20Plus) {
+ if (Versions.feature26Plus) {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // 20+
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // 20+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // 20+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+
// For Sync 1.1.
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", // 9+
+ "TLS_RSA_WITH_AES_128_CBC_SHA", // 9+
+ };
+ } else if (Versions.feature20Plus) {
+ DEFAULT_CIPHER_SUITES = new String[]
+ {
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // 20+
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // 20+
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // 20+
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // 20+
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // 20+
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+
+
+ // For Sync 1.1.
+ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", // 9-25
"TLS_RSA_WITH_AES_128_CBC_SHA", // 9+
};
} else {
DEFAULT_CIPHER_SUITES = new String[]
{
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", // 11+
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+