From 6c2efb02353f34ea153f4bf8ed283685ccaad9a9 Mon Sep 17 00:00:00 2001 From: Michal Kepkowski Date: Sat, 12 Mar 2016 19:32:36 +0100 Subject: okhttp3 --- .../keychain/util/OkHttpClientFactory.java | 55 ++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java new file mode 100644 index 000000000..2bf3b7e14 --- /dev/null +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java @@ -0,0 +1,55 @@ +package org.sufficientlysecure.keychain.util; + +import okhttp3.CertificatePinner; +import okhttp3.OkHttpClient; +import org.sufficientlysecure.keychain.Constants; + +import java.io.IOException; +import java.net.Proxy; +import java.net.URL; +import java.util.concurrent.TimeUnit; + +/** + * Created by Michał Kępkowski on 11/03/16. + */ +public class OkHttpClientFactory { + private static OkHttpClient client; + + public static OkHttpClient getSimpleClient(){ + if(client == null){ + client = new OkHttpClient.Builder().build(); + } + return client; + } + + public static OkHttpClient getPinnedSimpleClient(CertificatePinner pinner){ + return new OkHttpClient.Builder() + .certificatePinner(pinner) + .build(); + } + + + public static OkHttpClient getPinnedClient(URL url, Proxy proxy) throws IOException, TlsHelper.TlsHelperException { + + return new OkHttpClient.Builder() + .followRedirects(false) + .followSslRedirects(false) + .proxy(proxy) + .connectTimeout(30000, TimeUnit.MILLISECONDS) + .readTimeout(45000, TimeUnit.MILLISECONDS) + .sslSocketFactory(TlsHelper.getPinnedSslSocketFactory(url)) + .build(); + } + + public static OkHttpClient getClient( Proxy proxy) throws IOException, TlsHelper.TlsHelperException { + + return new OkHttpClient.Builder() + .followRedirects(false) + .followSslRedirects(false) + .proxy(proxy) + .connectTimeout(30000, TimeUnit.MILLISECONDS) + .readTimeout(45000, TimeUnit.MILLISECONDS) + .build(); + } + +} -- cgit v1.2.3 From dac5f1db08b4dea5893d9fe0a1ab0daad5b44f09 Mon Sep 17 00:00:00 2001 From: Michal Kepkowski Date: Wed, 6 Apr 2016 19:10:00 +0200 Subject: OKhttp url factory --- .../org/sufficientlysecure/keychain/util/OkHttpClientFactory.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java index 2bf3b7e14..cbbbf6e71 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java @@ -17,13 +17,18 @@ public class OkHttpClientFactory { public static OkHttpClient getSimpleClient(){ if(client == null){ - client = new OkHttpClient.Builder().build(); + client = new OkHttpClient.Builder() + .connectTimeout(30000, TimeUnit.MILLISECONDS) + .readTimeout(45000, TimeUnit.MILLISECONDS) + .build(); } return client; } public static OkHttpClient getPinnedSimpleClient(CertificatePinner pinner){ return new OkHttpClient.Builder() + .connectTimeout(30000, TimeUnit.MILLISECONDS) + .readTimeout(45000, TimeUnit.MILLISECONDS) .certificatePinner(pinner) .build(); } -- cgit v1.2.3 From 2d762e55da92ef45576967c0d1befef55e7935ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Sat, 9 Apr 2016 11:53:37 +0200 Subject: Okhttp3 cleanups, docs, and fix timeouts for default client --- .../keychain/util/OkHttpClientFactory.java | 51 ++++++++++++++-------- 1 file changed, 34 insertions(+), 17 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java index cbbbf6e71..f3606aa2f 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java @@ -1,57 +1,74 @@ -package org.sufficientlysecure.keychain.util; +/* + * Copyright (C) 2016 Michał Kępkowski + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ -import okhttp3.CertificatePinner; -import okhttp3.OkHttpClient; -import org.sufficientlysecure.keychain.Constants; +package org.sufficientlysecure.keychain.util; import java.io.IOException; import java.net.Proxy; import java.net.URL; import java.util.concurrent.TimeUnit; -/** - * Created by Michał Kępkowski on 11/03/16. - */ +import okhttp3.CertificatePinner; +import okhttp3.OkHttpClient; + public class OkHttpClientFactory { private static OkHttpClient client; - public static OkHttpClient getSimpleClient(){ - if(client == null){ - client = new OkHttpClient.Builder() - .connectTimeout(30000, TimeUnit.MILLISECONDS) - .readTimeout(45000, TimeUnit.MILLISECONDS) + public static OkHttpClient getSimpleClient() { + if (client == null) { + client = new OkHttpClient.Builder() + .connectTimeout(5000, TimeUnit.MILLISECONDS) + .readTimeout(25000, TimeUnit.MILLISECONDS) .build(); } return client; } - public static OkHttpClient getPinnedSimpleClient(CertificatePinner pinner){ + public static OkHttpClient getPinnedSimpleClient(CertificatePinner pinner) { return new OkHttpClient.Builder() - .connectTimeout(30000, TimeUnit.MILLISECONDS) - .readTimeout(45000, TimeUnit.MILLISECONDS) + .connectTimeout(5000, TimeUnit.MILLISECONDS) + .readTimeout(25000, TimeUnit.MILLISECONDS) .certificatePinner(pinner) .build(); } - public static OkHttpClient getPinnedClient(URL url, Proxy proxy) throws IOException, TlsHelper.TlsHelperException { return new OkHttpClient.Builder() + // don't follow any redirects for keyservers, as discussed in the security audit .followRedirects(false) .followSslRedirects(false) .proxy(proxy) + // higher timeouts for Tor .connectTimeout(30000, TimeUnit.MILLISECONDS) .readTimeout(45000, TimeUnit.MILLISECONDS) + // use pinned cert with SocketFactory .sslSocketFactory(TlsHelper.getPinnedSslSocketFactory(url)) .build(); } - public static OkHttpClient getClient( Proxy proxy) throws IOException, TlsHelper.TlsHelperException { + public static OkHttpClient getClient(Proxy proxy) throws IOException, TlsHelper.TlsHelperException { return new OkHttpClient.Builder() + // don't follow any redirects for keyservers, as discussed in the security audit .followRedirects(false) .followSslRedirects(false) .proxy(proxy) + // higher timeouts for Tor .connectTimeout(30000, TimeUnit.MILLISECONDS) .readTimeout(45000, TimeUnit.MILLISECONDS) .build(); -- cgit v1.2.3 From c8e5395d4e3c3dcc349ebe6bb300016f44d430d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= Date: Sat, 9 Apr 2016 18:34:00 +0200 Subject: Use cert pinning only if available --- .../keychain/util/OkHttpClientFactory.java | 47 +++++++++++----------- 1 file changed, 23 insertions(+), 24 deletions(-) (limited to 'OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java index f3606aa2f..ea2ae8368 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java @@ -38,7 +38,7 @@ public class OkHttpClientFactory { return client; } - public static OkHttpClient getPinnedSimpleClient(CertificatePinner pinner) { + public static OkHttpClient getSimpleClientPinned(CertificatePinner pinner) { return new OkHttpClient.Builder() .connectTimeout(5000, TimeUnit.MILLISECONDS) .readTimeout(25000, TimeUnit.MILLISECONDS) @@ -46,32 +46,31 @@ public class OkHttpClientFactory { .build(); } - public static OkHttpClient getPinnedClient(URL url, Proxy proxy) throws IOException, TlsHelper.TlsHelperException { + public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) throws IOException, + TlsHelper.TlsHelperException { + OkHttpClient.Builder builder = new OkHttpClient.Builder(); - return new OkHttpClient.Builder() - // don't follow any redirects for keyservers, as discussed in the security audit - .followRedirects(false) - .followSslRedirects(false) - .proxy(proxy) - // higher timeouts for Tor - .connectTimeout(30000, TimeUnit.MILLISECONDS) - .readTimeout(45000, TimeUnit.MILLISECONDS) - // use pinned cert with SocketFactory - .sslSocketFactory(TlsHelper.getPinnedSslSocketFactory(url)) - .build(); - } + // don't follow any redirects for keyservers, as discussed in the security audit + builder.followRedirects(false) + .followSslRedirects(false); + + if (proxy != null) { + // set proxy and higher timeouts for Tor + builder.proxy(proxy); + builder.connectTimeout(30000, TimeUnit.MILLISECONDS) + .readTimeout(45000, TimeUnit.MILLISECONDS); + } else { + builder.connectTimeout(5000, TimeUnit.MILLISECONDS) + .readTimeout(25000, TimeUnit.MILLISECONDS); + } - public static OkHttpClient getClient(Proxy proxy) throws IOException, TlsHelper.TlsHelperException { + // If a pinned cert is available, use it! + // NOTE: this fails gracefully back to "no pinning" if no cert is available. + if (url != null && TlsHelper.getPinnedSslSocketFactory(url) != null) { + builder.sslSocketFactory(TlsHelper.getPinnedSslSocketFactory(url)); + } - return new OkHttpClient.Builder() - // don't follow any redirects for keyservers, as discussed in the security audit - .followRedirects(false) - .followSslRedirects(false) - .proxy(proxy) - // higher timeouts for Tor - .connectTimeout(30000, TimeUnit.MILLISECONDS) - .readTimeout(45000, TimeUnit.MILLISECONDS) - .build(); + return builder.build(); } } -- cgit v1.2.3