diff --git a/app/src/main/java/eu/faircode/email/EmailService.java b/app/src/main/java/eu/faircode/email/EmailService.java
index cb5119e438..552a3b2e77 100644
--- a/app/src/main/java/eu/faircode/email/EmailService.java
+++ b/app/src/main/java/eu/faircode/email/EmailService.java
@@ -448,7 +448,8 @@ public class EmailService implements AutoCloseable {
}
boolean bc = prefs.getBoolean("bouncy_castle", false);
- factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, key, chain, fingerprint);
+ boolean fips = prefs.getBoolean("bc_fips", false);
+ factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, fips, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -1038,7 +1039,10 @@ public class EmailService implements AutoCloseable {
private SSLSocketFactory factory;
private X509Certificate certificate;
- SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean bc, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
+ SSLSocketFactoryService(String host, boolean insecure,
+ boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict,
+ boolean bc, boolean fips,
+ PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
this.ssl_harden = ssl_harden;
@@ -1050,10 +1054,10 @@ public class EmailService implements AutoCloseable {
SSLContext sslContext;
String protocol = (insecure ? "SSL" : "TLS");
if (bc)
- sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider());
+ sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider(fips));
else
sslContext = SSLContext.getInstance(protocol);
- Log.i("Using protocol=" + protocol + " bc=" + bc);
+ Log.i("Using protocol=" + protocol + " bc=" + bc + " FIPS=" + fips);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
diff --git a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
index 71d884a667..d4bf5fba56 100644
--- a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
+++ b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
@@ -93,6 +93,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swCertStrict;
private SwitchCompat swOpenSafe;
private SwitchCompat swBouncyCastle;
+ private SwitchCompat swFipsMode;
private Button btnManage;
private TextView tvNetworkMetered;
private TextView tvNetworkRoaming;
@@ -111,7 +112,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain",
"require_validated", "require_validated_captive", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
- "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle"
+ "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle", "bc_fips"
};
@Override
@@ -146,6 +147,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swCertStrict = view.findViewById(R.id.swCertStrict);
swOpenSafe = view.findViewById(R.id.swOpenSafe);
swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
+ swFipsMode = view.findViewById(R.id.swFipsMode);
btnManage = view.findViewById(R.id.btnManage);
tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@@ -354,6 +356,14 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("bouncy_castle", checked).apply();
+ swFipsMode.setEnabled(checked);
+ }
+ });
+
+ swFipsMode.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+ @Override
+ public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
+ prefs.edit().putBoolean("bc_fips", checked).apply();
}
});
@@ -619,6 +629,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));
+ swFipsMode.setChecked(prefs.getBoolean("bc_fips", false));
+ swFipsMode.setEnabled(swBouncyCastle.isChecked());
} catch (Throwable ex) {
Log.e(ex);
}
diff --git a/app/src/main/java/eu/faircode/email/Log.java b/app/src/main/java/eu/faircode/email/Log.java
index 6aefae58da..43f7817ece 100644
--- a/app/src/main/java/eu/faircode/email/Log.java
+++ b/app/src/main/java/eu/faircode/email/Log.java
@@ -3614,33 +3614,44 @@ public class Log {
static SpannableStringBuilder getCiphers() {
SpannableStringBuilder ssb = new SpannableStringBuilderEx();
- for (Provider provider : new Provider[]{null, new BouncyCastleJsseProvider()})
+ for (Provider provider : new Provider[]{
+ null, // Android
+ new BouncyCastleJsseProvider(),
+ new BouncyCastleJsseProvider(true)})
for (String protocol : new String[]{"SSL", "TLS"})
try {
int begin = ssb.length();
- ssb.append("Protocol: ").append(protocol)
- .append(" ")
- .append(provider == null ? "Android" : provider.getClass().getSimpleName());
- ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
- ssb.append("\r\n\r\n");
-
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init((KeyStore) null);
-
- ssb.append("Provider: ").append(tmf.getProvider().getName()).append("\r\n");
- ssb.append("Algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
-
- TrustManager[] tms = tmf.getTrustManagers();
- if (tms != null)
- for (TrustManager tm : tms)
- ssb.append("Manager: ").append(tm.getClass().getName()).append("\r\n");
SSLContext sslContext = (provider == null
? SSLContext.getInstance(protocol)
: SSLContext.getInstance(protocol, provider));
+ ssb.append("SSL protocol: ").append(sslContext.getProtocol()).append("\r\n");
+ Provider sslProvider = sslContext.getProvider();
+ ssb.append("SSL provider: ").append(sslProvider.getName());
+ if (sslProvider instanceof BouncyCastleJsseProvider) {
+ boolean fips = ((BouncyCastleJsseProvider) sslProvider).isFipsMode();
+ if (fips)
+ ssb.append(" FIPS");
+ }
+ ssb.append("\r\n");
+ ssb.append("SSL class: ").append(sslProvider.getClass().getName()).append("\r\n");
- ssb.append("Context: ").append(sslContext.getProtocol()).append("\r\n\r\n");
+ ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
+ ssb.append("\r\n");
+
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init((KeyStore) null);
+
+ ssb.append("Trust provider: ").append(tmf.getProvider().getName()).append("\r\n");
+ ssb.append("Trust class: ").append(tmf.getProvider().getClass().getName()).append("\r\n");
+ ssb.append("Trust algorithm: ").append(tmf.getAlgorithm()).append("\r\n");
+
+ TrustManager[] tms = tmf.getTrustManagers();
+ if (tms != null)
+ for (TrustManager tm : tms)
+ ssb.append("Trust manager: ").append(tm.getClass().getName()).append("\r\n");
+ ssb.append("\r\n");
sslContext.init(null, tmf.getTrustManagers(), null);
SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket();
diff --git a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
index 5b5f47ac70..e0e5d612f8 100644
--- a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
+++ b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
@@ -170,7 +170,8 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders",
"sync_shared_folders",
"download_headers", "download_eml",
- "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", // force reconnect
+ "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
+ "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", "bc_fips", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect
diff --git a/app/src/main/res/layout/fragment_options_connection.xml b/app/src/main/res/layout/fragment_options_connection.xml
index 984725af44..adbfe23218 100644
--- a/app/src/main/res/layout/fragment_options_connection.xml
+++ b/app/src/main/res/layout/fragment_options_connection.xml
@@ -530,6 +530,18 @@
app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint"
app:switchPadding="12dp" />
+
+
+ app:layout_constraintTop_toBottomOf="@id/swFipsMode" />
Strict certificate checking
Open secure connections only
Use Bouncy Castle\'s secure socket provider (JSSE)
+ FIPS mode
Manage connectivity
General