1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 package org.mozilla.gecko.background.common; 6 7 import org.mozilla.gecko.AppConstants; 8 import org.mozilla.gecko.AppConstants.Versions; 9 10 /** 11 * Constant values common to all Android services. 12 */ 13 public class GlobalConstants { 14 public static final String BROWSER_INTENT_PACKAGE = AppConstants.ANDROID_PACKAGE_NAME; 15 public static final String BROWSER_INTENT_CLASS = AppConstants.MOZ_ANDROID_BROWSER_INTENT_CLASS; 16 17 public static final int SHARED_PREFERENCES_MODE = 0; 18 19 // Common time values. 20 public static final long MILLISECONDS_PER_DAY = 24 * 60 * 60 * 1000; 21 public static final long MILLISECONDS_PER_SIX_MONTHS = 180 * MILLISECONDS_PER_DAY; 22 23 // Acceptable cipher suites. 24 /** 25 * We support only a very limited range of strong cipher suites and protocols: 26 * no SSLv3 or TLSv1.0 (if we can), no DHE ciphers that might be vulnerable to Logjam 27 * (https://weakdh.org/), no RC4. 28 * 29 * Backstory: Bug 717691 (we no longer support Android 2.2, so the name 30 * workaround is unnecessary), Bug 1081953, Bug 1061273, Bug 1166839. 31 * 32 * See <http://developer.android.com/reference/javax/net/ssl/SSLSocket.html> for 33 * supported Android versions for each set of protocols and cipher suites. 34 * 35 * Note that currently we need to support connections to Sync 1.1 on Mozilla-hosted infra, 36 * as well as connections to FxA and Sync 1.5 on AWS. 37 * 38 * ELB cipher suites: 39 * <http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html> 40 */ 41 public static final String[] DEFAULT_CIPHER_SUITES; 42 public static final String[] DEFAULT_PROTOCOLS; 43 44 static { 45 // Prioritize 128 over 256 as a tradeoff between device CPU/battery and the minor 46 // increase in strength. 47 if (Versions.feature26Plus) { 48 DEFAULT_CIPHER_SUITES = new String[] 49 { 50 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // 20+ 51 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // 20+ 52 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // 20+ 53 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+ 54 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // 20+ 55 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // 20+ 56 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+ 57 58 // For Sync 1.1. 59 "TLS_RSA_WITH_AES_128_CBC_SHA", // 9+ 60 }; 61 } else if (Versions.feature20Plus) { 62 DEFAULT_CIPHER_SUITES = new String[] 63 { 64 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // 20+ 65 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // 20+ 66 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // 20+ 67 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+ 68 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // 20+ 69 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // 20+ 70 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+ 71 72 // For Sync 1.1. 73 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", // 9-25 74 "TLS_RSA_WITH_AES_128_CBC_SHA", // 9+ 75 }; 76 } else { 77 DEFAULT_CIPHER_SUITES = new String[] 78 { 79 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // 11+ 80 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", // 11+ 81 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // 11+ 82 83 // For Sync 1.1. 84 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", // 9+ 85 "TLS_RSA_WITH_AES_128_CBC_SHA", // 9+ 86 }; 87 } 88 89 if (Versions.feature16Plus) { 90 DEFAULT_PROTOCOLS = new String[] 91 { 92 "TLSv1.2", 93 "TLSv1.1", 94 "TLSv1", // We would like to remove this, and will do so when we can. 95 }; 96 } else { 97 // Fall back to TLSv1 if there's nothing better. 98 DEFAULT_PROTOCOLS = new String[] 99 { 100 "TLSv1", 101 }; 102 } 103 } 104 } 105