mirror/FairEmail
1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2025-03-15 08:29:24 +00:00
Code Issues Releases Wiki Activity

Added option to require TLS 1.3

Browse source
This commit is contained in:
M66B 2022-07-11 12:21:47 +02:00
parent f38e54b7db
commit 08138228ca
5 changed files with 66 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
app/src/main/java/eu/faircode/email/EmailService.java
View file

@ -104,6 +104,7 @@ public class EmailService implements AutoCloseable {
private boolean insecure;
private int purpose;
private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict;
private boolean useip;
private String ehlo;
@ -149,10 +150,17 @@ public class EmailService implements AutoCloseable {
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
));
private static final List<String> SSL_PROTOCOL_BLACKLIST_STRICT = Collections.unmodifiableList(Arrays.asList(
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"
));
// https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites
private static final Pattern SSL_CIPHER_BLACKLIST =
Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
private static final Pattern SSL_CIPHER_BLACKLIST_STRICT =
Pattern.compile("(.*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV|RSA).*)|(.*SHA$)");
// TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
// TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
@ -183,6 +191,7 @@ public class EmailService implements AutoCloseable {
this.log = prefs.getBoolean("protocol", false);
this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
this.ssl_harden = prefs.getBoolean("ssl_harden", false);
this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
boolean auth_plain = prefs.getBoolean("auth_plain", true);
@ -421,7 +430,7 @@ public class EmailService implements AutoCloseable {
}
}
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, cert_strict, key, chain, fingerprint);
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, ssl_harden_strict, cert_strict, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -946,15 +955,17 @@ public class EmailService implements AutoCloseable {
private String server;
private boolean secure;
private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict;
private String trustedFingerprint;
private SSLSocketFactory factory;
private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
this.ssl_harden = ssl_harden;
this.ssl_harden_strict = ssl_harden_strict;
this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint;
@ -1152,6 +1163,27 @@ public class EmailService implements AutoCloseable {
ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites()));
ciphers.remove("TLS_FALLBACK_SCSV");
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
} else if (ssl_harden && ssl_harden_strict &&
!BuildConfig.PLAY_STORE_RELEASE &&
Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
// Protocols
List<String> protocols = new ArrayList<>();
for (String protocol : sslSocket.getEnabledProtocols())
if (SSL_PROTOCOL_BLACKLIST_STRICT.contains(protocol))
Log.i("SSL disabling protocol=" + protocol);
else
protocols.add(protocol);
sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
// Ciphers
List<String> ciphers = new ArrayList<>();
for (String cipher : sslSocket.getEnabledCipherSuites()) {
if (SSL_CIPHER_BLACKLIST_STRICT.matcher(cipher).matches())
Log.i("SSL disabling cipher=" + cipher);
else
ciphers.add(cipher);
}
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
} else if (ssl_harden) {
// Protocols
List<String> protocols = new ArrayList<>();

17
app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
View file

@ -76,6 +76,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swTcpKeepAlive;
private TextView tvTcpKeepAliveHint;
private SwitchCompat swSslHarden;
private SwitchCompat swSslHardenStrict;
private SwitchCompat swCertStrict;
private Button btnManage;
private TextView tvNetworkMetered;
@ -91,7 +92,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain",
"require_validated", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_harden", "cert_strict"
"ssl_harden", "ssl_harden_strict", "cert_strict"
};
@Override
@ -121,6 +122,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive);
tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint);
swSslHarden = view.findViewById(R.id.swSslHarden);
swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
swCertStrict = view.findViewById(R.id.swCertStrict);
btnManage = view.findViewById(R.id.btnManage);
@ -283,6 +285,17 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("ssl_harden", checked).apply();
swSslHardenStrict.setEnabled(checked);
}
});
swSslHardenStrict.setVisibility(BuildConfig.PLAY_STORE_RELEASE ||
Build.VERSION.SDK_INT < Build.VERSION_CODES.Q
? View.GONE : View.VISIBLE);
swSslHardenStrict.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("ssl_harden_strict", checked).apply();
}
});
@ -426,6 +439,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false));
swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false));
swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false));
swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false));
swSslHardenStrict.setEnabled(swSslHarden.isChecked());
swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
}

2
app/src/main/java/eu/faircode/email/ServiceSynchronize.java
View file

@ -163,7 +163,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders",
"sync_shared_folders",
"download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "cert_strict", // force reconnect
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect

15
app/src/main/res/layout/fragment_options_connection.xml
View file

@ -438,6 +438,7 @@
android:id="@+id/tvSslHardenHint"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginTop="12dp"
android:layout_marginEnd="48dp"
android:text="@string/title_advanced_ssl_harden_hint"
android:textAppearance="@style/TextAppearance.AppCompat.Small"
@ -447,6 +448,18 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swSslHarden" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swSslHardenStrict"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginStart="12dp"
android:layout_marginTop="12dp"
android:text="@string/title_advanced_ssl_harden_strict"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint"
app:switchPadding="12dp" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swCertStrict"
android:layout_width="0dp"
@ -455,7 +468,7 @@
android:text="@string/title_advanced_cert_strict"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint"
app:layout_constraintTop_toBottomOf="@id/swSslHardenStrict"
app:switchPadding="12dp" />
<TextView

1
app/src/main/res/values/strings.xml
View file

@ -459,6 +459,7 @@
<string name="title_advanced_standalone_vpn" translatable="false">Standalone VPN</string>
<string name="title_advanced_tcp_keep_alive" translatable="false">TCP keep alive</string>
<string name="title_advanced_ssl_harden">Harden SSL connections</string>
<string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
<string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_manage_connectivity">Manage connectivity</string>