Broken in Android 6?

[daveeeh]

Can anyone confirm whether this is broken in Android 6 due to the removal of various ciphers?

I get the following in LogCat - Caused by: java.lang.IllegalArgumentException: cipherSuite SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA is not supported.

And have tracked down the following link https://code.google.com/p/android-developer-preview/issues/detail?id=3056

[instagibbs]

Can confirm it has been deprecated.

Unfortunately that cipher is listed as a required cipher in the Tor specr: https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt

Connections between two Tor relays, or between a client and a relay,
use TLS/SSLv3 for link authentication and encryption. All
implementations MUST support the SSLv3 ciphersuite
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", and SHOULD support the TLS
ciphersuite "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available.

I think someone needs to go ask Android pros if there are work-arounds.

edit: Doesn't look like any quick workarounds are possible. Apparently, although I haven't been offered real evidence yet, that cipher is no longer mandatory, but probably requires an updated version of the protocol.

An additional mandatory cipher is also disabled, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

If you comment them out it just hangs and fails to connect.

[axet]

Can we use bouncycastle to achieve this? Of course for Android we have to use spongycastle.

EDIT: seems like bouncycastle has no support for SSLContext.getInstance()

[axet]

Now it saying:

Connections between two Tor relays, or between a client and a relay,
use TLS/SSLv3 for link authentication and encryption. All
implementations MUST support the SSLv3 ciphersuite
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available. They SHOULD
support better ciphersuites if available.

[tizbac]

I can confirm it too, the library is unuseable on android >= 6

[tizbac]

commenting setenabledchiphers on the socket actually works

[daveeeh]

@tizbac can you explain more?