From 08138228cab7aa6489c4939d378765723f5e0d8a Mon Sep 17 00:00:00 2001 From: M66B Date: Mon, 11 Jul 2022 12:21:47 +0200 Subject: [PATCH] Added option to require TLS 1.3 --- .../java/eu/faircode/email/EmailService.java | 36 +++++++++++++++++-- .../email/FragmentOptionsConnection.java | 17 ++++++++- .../eu/faircode/email/ServiceSynchronize.java | 2 +- .../layout/fragment_options_connection.xml | 15 +++++++- app/src/main/res/values/strings.xml | 1 + 5 files changed, 66 insertions(+), 5 deletions(-) diff --git a/app/src/main/java/eu/faircode/email/EmailService.java b/app/src/main/java/eu/faircode/email/EmailService.java index 96a5931117..aca31c2d5a 100644 --- a/app/src/main/java/eu/faircode/email/EmailService.java +++ b/app/src/main/java/eu/faircode/email/EmailService.java @@ -104,6 +104,7 @@ public class EmailService implements AutoCloseable { private boolean insecure; private int purpose; private boolean ssl_harden; + private boolean ssl_harden_strict; private boolean cert_strict; private boolean useip; private String ehlo; @@ -149,10 +150,17 @@ public class EmailService implements AutoCloseable { "SSLv2", "SSLv3", "TLSv1", "TLSv1.1" )); + private static final List SSL_PROTOCOL_BLACKLIST_STRICT = Collections.unmodifiableList(Arrays.asList( + "SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" + )); + // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites private static final Pattern SSL_CIPHER_BLACKLIST = Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*"); + private static final Pattern SSL_CIPHER_BLACKLIST_STRICT = + Pattern.compile("(.*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV|RSA).*)|(.*SHA$)"); + // TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507 // TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746 @@ -183,6 +191,7 @@ public class EmailService implements AutoCloseable { this.log = prefs.getBoolean("protocol", false); this.level = prefs.getInt("log_level", Log.getDefaultLogLevel()); this.ssl_harden = prefs.getBoolean("ssl_harden", false); + this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false); this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE); boolean auth_plain = prefs.getBoolean("auth_plain", true); @@ -421,7 +430,7 @@ public class EmailService implements AutoCloseable { } } - factory = new SSLSocketFactoryService(host, insecure, ssl_harden, cert_strict, key, chain, fingerprint); + factory = new SSLSocketFactoryService(host, insecure, ssl_harden, ssl_harden_strict, cert_strict, key, chain, fingerprint); properties.put("mail." + protocol + ".ssl.socketFactory", factory); properties.put("mail." + protocol + ".socketFactory.fallback", "false"); properties.put("mail." + protocol + ".ssl.checkserveridentity", "false"); @@ -946,15 +955,17 @@ public class EmailService implements AutoCloseable { private String server; private boolean secure; private boolean ssl_harden; + private boolean ssl_harden_strict; private boolean cert_strict; private String trustedFingerprint; private SSLSocketFactory factory; private X509Certificate certificate; - SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException { + SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException { this.server = host; this.secure = !insecure; this.ssl_harden = ssl_harden; + this.ssl_harden_strict = ssl_harden_strict; this.cert_strict = cert_strict; this.trustedFingerprint = fingerprint; @@ -1152,6 +1163,27 @@ public class EmailService implements AutoCloseable { ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites())); ciphers.remove("TLS_FALLBACK_SCSV"); sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0])); + } else if (ssl_harden && ssl_harden_strict && + !BuildConfig.PLAY_STORE_RELEASE && + Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) { + // Protocols + List protocols = new ArrayList<>(); + for (String protocol : sslSocket.getEnabledProtocols()) + if (SSL_PROTOCOL_BLACKLIST_STRICT.contains(protocol)) + Log.i("SSL disabling protocol=" + protocol); + else + protocols.add(protocol); + sslSocket.setEnabledProtocols(protocols.toArray(new String[0])); + + // Ciphers + List ciphers = new ArrayList<>(); + for (String cipher : sslSocket.getEnabledCipherSuites()) { + if (SSL_CIPHER_BLACKLIST_STRICT.matcher(cipher).matches()) + Log.i("SSL disabling cipher=" + cipher); + else + ciphers.add(cipher); + } + sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0])); } else if (ssl_harden) { // Protocols List protocols = new ArrayList<>(); diff --git a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java index fd3582ff8a..cc8fe46dcd 100644 --- a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java +++ b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java @@ -76,6 +76,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre private SwitchCompat swTcpKeepAlive; private TextView tvTcpKeepAliveHint; private SwitchCompat swSslHarden; + private SwitchCompat swSslHardenStrict; private SwitchCompat swCertStrict; private Button btnManage; private TextView tvNetworkMetered; @@ -91,7 +92,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre "download_headers", "download_eml", "download_plain", "require_validated", "vpn_only", "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", - "ssl_harden", "cert_strict" + "ssl_harden", "ssl_harden_strict", "cert_strict" }; @Override @@ -121,6 +122,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive); tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint); swSslHarden = view.findViewById(R.id.swSslHarden); + swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict); swCertStrict = view.findViewById(R.id.swCertStrict); btnManage = view.findViewById(R.id.btnManage); @@ -283,6 +285,17 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre @Override public void onCheckedChanged(CompoundButton compoundButton, boolean checked) { prefs.edit().putBoolean("ssl_harden", checked).apply(); + swSslHardenStrict.setEnabled(checked); + } + }); + + swSslHardenStrict.setVisibility(BuildConfig.PLAY_STORE_RELEASE || + Build.VERSION.SDK_INT < Build.VERSION_CODES.Q + ? View.GONE : View.VISIBLE); + swSslHardenStrict.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() { + @Override + public void onCheckedChanged(CompoundButton compoundButton, boolean checked) { + prefs.edit().putBoolean("ssl_harden_strict", checked).apply(); } }); @@ -426,6 +439,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false)); swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false)); swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false)); + swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false)); + swSslHardenStrict.setEnabled(swSslHarden.isChecked()); swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE)); } diff --git a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java index ac17bc3fa2..ffb40e2a42 100644 --- a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java +++ b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java @@ -163,7 +163,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences "sync_folders", "sync_shared_folders", "download_headers", "download_eml", - "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "cert_strict", // force reconnect + "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", // force reconnect "experiments", "debug", "protocol", // force reconnect "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect "keep_alive_poll", "empty_pool", "idle_done", // force reconnect diff --git a/app/src/main/res/layout/fragment_options_connection.xml b/app/src/main/res/layout/fragment_options_connection.xml index ab3c814cb6..14eb736928 100644 --- a/app/src/main/res/layout/fragment_options_connection.xml +++ b/app/src/main/res/layout/fragment_options_connection.xml @@ -438,6 +438,7 @@ android:id="@+id/tvSslHardenHint" android:layout_width="0dp" android:layout_height="wrap_content" + android:layout_marginTop="12dp" android:layout_marginEnd="48dp" android:text="@string/title_advanced_ssl_harden_hint" android:textAppearance="@style/TextAppearance.AppCompat.Small" @@ -447,6 +448,18 @@ app:layout_constraintStart_toStartOf="parent" app:layout_constraintTop_toBottomOf="@id/swSslHarden" /> + + Standalone VPN TCP keep alive Harden SSL connections + Require TLS 1.3 Strict certificate checking Manage connectivity