Added option to require TLS 1.3

pull/209/head
M66B 3 years ago
parent f38e54b7db
commit 08138228ca

@ -104,6 +104,7 @@ public class EmailService implements AutoCloseable {
private boolean insecure; private boolean insecure;
private int purpose; private int purpose;
private boolean ssl_harden; private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict; private boolean cert_strict;
private boolean useip; private boolean useip;
private String ehlo; private String ehlo;
@ -149,10 +150,17 @@ public class EmailService implements AutoCloseable {
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1" "SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
)); ));
private static final List<String> SSL_PROTOCOL_BLACKLIST_STRICT = Collections.unmodifiableList(Arrays.asList(
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"
));
// https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites
private static final Pattern SSL_CIPHER_BLACKLIST = private static final Pattern SSL_CIPHER_BLACKLIST =
Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*"); Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
private static final Pattern SSL_CIPHER_BLACKLIST_STRICT =
Pattern.compile("(.*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV|RSA).*)|(.*SHA$)");
// TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507 // TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
// TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746 // TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
@ -183,6 +191,7 @@ public class EmailService implements AutoCloseable {
this.log = prefs.getBoolean("protocol", false); this.log = prefs.getBoolean("protocol", false);
this.level = prefs.getInt("log_level", Log.getDefaultLogLevel()); this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
this.ssl_harden = prefs.getBoolean("ssl_harden", false); this.ssl_harden = prefs.getBoolean("ssl_harden", false);
this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE); this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
boolean auth_plain = prefs.getBoolean("auth_plain", true); boolean auth_plain = prefs.getBoolean("auth_plain", true);
@ -421,7 +430,7 @@ public class EmailService implements AutoCloseable {
} }
} }
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, cert_strict, key, chain, fingerprint); factory = new SSLSocketFactoryService(host, insecure, ssl_harden, ssl_harden_strict, cert_strict, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory); properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false"); properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false"); properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -946,15 +955,17 @@ public class EmailService implements AutoCloseable {
private String server; private String server;
private boolean secure; private boolean secure;
private boolean ssl_harden; private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict; private boolean cert_strict;
private String trustedFingerprint; private String trustedFingerprint;
private SSLSocketFactory factory; private SSLSocketFactory factory;
private X509Certificate certificate; private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException { SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host; this.server = host;
this.secure = !insecure; this.secure = !insecure;
this.ssl_harden = ssl_harden; this.ssl_harden = ssl_harden;
this.ssl_harden_strict = ssl_harden_strict;
this.cert_strict = cert_strict; this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint; this.trustedFingerprint = fingerprint;
@ -1152,6 +1163,27 @@ public class EmailService implements AutoCloseable {
ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites())); ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites()));
ciphers.remove("TLS_FALLBACK_SCSV"); ciphers.remove("TLS_FALLBACK_SCSV");
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0])); sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
} else if (ssl_harden && ssl_harden_strict &&
!BuildConfig.PLAY_STORE_RELEASE &&
Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
// Protocols
List<String> protocols = new ArrayList<>();
for (String protocol : sslSocket.getEnabledProtocols())
if (SSL_PROTOCOL_BLACKLIST_STRICT.contains(protocol))
Log.i("SSL disabling protocol=" + protocol);
else
protocols.add(protocol);
sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
// Ciphers
List<String> ciphers = new ArrayList<>();
for (String cipher : sslSocket.getEnabledCipherSuites()) {
if (SSL_CIPHER_BLACKLIST_STRICT.matcher(cipher).matches())
Log.i("SSL disabling cipher=" + cipher);
else
ciphers.add(cipher);
}
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
} else if (ssl_harden) { } else if (ssl_harden) {
// Protocols // Protocols
List<String> protocols = new ArrayList<>(); List<String> protocols = new ArrayList<>();

@ -76,6 +76,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swTcpKeepAlive; private SwitchCompat swTcpKeepAlive;
private TextView tvTcpKeepAliveHint; private TextView tvTcpKeepAliveHint;
private SwitchCompat swSslHarden; private SwitchCompat swSslHarden;
private SwitchCompat swSslHardenStrict;
private SwitchCompat swCertStrict; private SwitchCompat swCertStrict;
private Button btnManage; private Button btnManage;
private TextView tvNetworkMetered; private TextView tvNetworkMetered;
@ -91,7 +92,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain", "download_headers", "download_eml", "download_plain",
"require_validated", "vpn_only", "require_validated", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_harden", "cert_strict" "ssl_harden", "ssl_harden_strict", "cert_strict"
}; };
@Override @Override
@ -121,6 +122,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive); swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive);
tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint); tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint);
swSslHarden = view.findViewById(R.id.swSslHarden); swSslHarden = view.findViewById(R.id.swSslHarden);
swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
swCertStrict = view.findViewById(R.id.swCertStrict); swCertStrict = view.findViewById(R.id.swCertStrict);
btnManage = view.findViewById(R.id.btnManage); btnManage = view.findViewById(R.id.btnManage);
@ -283,6 +285,17 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
@Override @Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) { public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("ssl_harden", checked).apply(); prefs.edit().putBoolean("ssl_harden", checked).apply();
swSslHardenStrict.setEnabled(checked);
}
});
swSslHardenStrict.setVisibility(BuildConfig.PLAY_STORE_RELEASE ||
Build.VERSION.SDK_INT < Build.VERSION_CODES.Q
? View.GONE : View.VISIBLE);
swSslHardenStrict.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("ssl_harden_strict", checked).apply();
} }
}); });
@ -426,6 +439,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false)); swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false));
swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false)); swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false));
swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false)); swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false));
swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false));
swSslHardenStrict.setEnabled(swSslHarden.isChecked());
swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE)); swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
} }

@ -163,7 +163,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders", "sync_folders",
"sync_shared_folders", "sync_shared_folders",
"download_headers", "download_eml", "download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "cert_strict", // force reconnect "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", // force reconnect
"experiments", "debug", "protocol", // force reconnect "experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect "keep_alive_poll", "empty_pool", "idle_done", // force reconnect

@ -438,6 +438,7 @@
android:id="@+id/tvSslHardenHint" android:id="@+id/tvSslHardenHint"
android:layout_width="0dp" android:layout_width="0dp"
android:layout_height="wrap_content" android:layout_height="wrap_content"
android:layout_marginTop="12dp"
android:layout_marginEnd="48dp" android:layout_marginEnd="48dp"
android:text="@string/title_advanced_ssl_harden_hint" android:text="@string/title_advanced_ssl_harden_hint"
android:textAppearance="@style/TextAppearance.AppCompat.Small" android:textAppearance="@style/TextAppearance.AppCompat.Small"
@ -447,6 +448,18 @@
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swSslHarden" /> app:layout_constraintTop_toBottomOf="@id/swSslHarden" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swSslHardenStrict"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginStart="12dp"
android:layout_marginTop="12dp"
android:text="@string/title_advanced_ssl_harden_strict"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint"
app:switchPadding="12dp" />
<androidx.appcompat.widget.SwitchCompat <androidx.appcompat.widget.SwitchCompat
android:id="@+id/swCertStrict" android:id="@+id/swCertStrict"
android:layout_width="0dp" android:layout_width="0dp"
@ -455,7 +468,7 @@
android:text="@string/title_advanced_cert_strict" android:text="@string/title_advanced_cert_strict"
app:layout_constraintEnd_toEndOf="parent" app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent" app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvSslHardenHint" app:layout_constraintTop_toBottomOf="@id/swSslHardenStrict"
app:switchPadding="12dp" /> app:switchPadding="12dp" />
<TextView <TextView

@ -459,6 +459,7 @@
<string name="title_advanced_standalone_vpn" translatable="false">Standalone VPN</string> <string name="title_advanced_standalone_vpn" translatable="false">Standalone VPN</string>
<string name="title_advanced_tcp_keep_alive" translatable="false">TCP keep alive</string> <string name="title_advanced_tcp_keep_alive" translatable="false">TCP keep alive</string>
<string name="title_advanced_ssl_harden">Harden SSL connections</string> <string name="title_advanced_ssl_harden">Harden SSL connections</string>
<string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
<string name="title_advanced_cert_strict">Strict certificate checking</string> <string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_manage_connectivity">Manage connectivity</string> <string name="title_advanced_manage_connectivity">Manage connectivity</string>

Loading…
Cancel
Save