mirror/FairEmail
1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2025-02-25 07:23:03 +00:00
Code Issues Releases Wiki Activity

Keep SCSV disabled for insecure connections

Browse source
This commit is contained in:
M66B 2020-05-24 18:29:07 +02:00
parent 0e1a11509d
commit 3574e1f45e
1 changed files with 3 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
app/src/main/java/eu/faircode/email/EmailService.java
View file

@ -117,11 +117,8 @@ public class EmailService implements AutoCloseable {
private static final Pattern SSL_CIPHER_BLACKLIST = private static final Pattern SSL_CIPHER_BLACKLIST =
Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*"); Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
// TLS_FALLBACK_SCSV // TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
// TLS_EMPTY_RENEGOTIATION_INFO_SCSV // TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
// https://security.stackexchange.com/questions/112531/is-tls-fallback-scsv-useless-if-only-tls-1-0-1-1-1-2-is-supported
// https://en.wikipedia.org/wiki/POODLE
// https://tools.ietf.org/html/rfc5746
private EmailService() { private EmailService() {
// Prevent instantiation // Prevent instantiation
@ -794,7 +791,7 @@ public class EmailService implements AutoCloseable {
secure ? sslSocket.getEnabledCipherSuites() : sslSocket.getSupportedCipherSuites()) { secure ? sslSocket.getEnabledCipherSuites() : sslSocket.getSupportedCipherSuites()) {
if (secure && harden && SSL_CIPHER_BLACKLIST.matcher(cipher).matches()) if (secure && harden && SSL_CIPHER_BLACKLIST.matcher(cipher).matches())
Log.i("SSL disabling cipher=" + cipher); Log.i("SSL disabling cipher=" + cipher);
else else if (secure || !cipher.endsWith("_SCSV"))
ciphers.add(cipher); ciphers.add(cipher);
} }
Log.i("SSL ciphers=" + TextUtils.join(",", ciphers)); Log.i("SSL ciphers=" + TextUtils.join(",", ciphers));