|
|
@ -104,6 +104,7 @@ public class EmailService implements AutoCloseable {
|
|
|
|
private boolean insecure;
|
|
|
|
private boolean insecure;
|
|
|
|
private int purpose;
|
|
|
|
private int purpose;
|
|
|
|
private boolean ssl_harden;
|
|
|
|
private boolean ssl_harden;
|
|
|
|
|
|
|
|
private boolean ssl_harden_strict;
|
|
|
|
private boolean cert_strict;
|
|
|
|
private boolean cert_strict;
|
|
|
|
private boolean useip;
|
|
|
|
private boolean useip;
|
|
|
|
private String ehlo;
|
|
|
|
private String ehlo;
|
|
|
@ -149,10 +150,17 @@ public class EmailService implements AutoCloseable {
|
|
|
|
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
|
|
|
|
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
|
|
|
|
));
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private static final List<String> SSL_PROTOCOL_BLACKLIST_STRICT = Collections.unmodifiableList(Arrays.asList(
|
|
|
|
|
|
|
|
"SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"
|
|
|
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
|
|
// https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites
|
|
|
|
// https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites
|
|
|
|
private static final Pattern SSL_CIPHER_BLACKLIST =
|
|
|
|
private static final Pattern SSL_CIPHER_BLACKLIST =
|
|
|
|
Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
|
|
|
|
Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private static final Pattern SSL_CIPHER_BLACKLIST_STRICT =
|
|
|
|
|
|
|
|
Pattern.compile("(.*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV|RSA).*)|(.*SHA$)");
|
|
|
|
|
|
|
|
|
|
|
|
// TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
|
|
|
|
// TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
|
|
|
|
// TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
|
|
|
|
// TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
|
|
|
|
|
|
|
|
|
|
|
@ -183,6 +191,7 @@ public class EmailService implements AutoCloseable {
|
|
|
|
this.log = prefs.getBoolean("protocol", false);
|
|
|
|
this.log = prefs.getBoolean("protocol", false);
|
|
|
|
this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
|
|
|
|
this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
|
|
|
|
this.ssl_harden = prefs.getBoolean("ssl_harden", false);
|
|
|
|
this.ssl_harden = prefs.getBoolean("ssl_harden", false);
|
|
|
|
|
|
|
|
this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
|
|
|
|
this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
|
|
|
|
this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
|
|
|
|
|
|
|
|
|
|
|
|
boolean auth_plain = prefs.getBoolean("auth_plain", true);
|
|
|
|
boolean auth_plain = prefs.getBoolean("auth_plain", true);
|
|
|
@ -421,7 +430,7 @@ public class EmailService implements AutoCloseable {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, cert_strict, key, chain, fingerprint);
|
|
|
|
factory = new SSLSocketFactoryService(host, insecure, ssl_harden, ssl_harden_strict, cert_strict, key, chain, fingerprint);
|
|
|
|
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
|
|
|
|
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
|
|
|
|
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
|
|
|
|
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
|
|
|
|
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
|
|
|
|
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
|
|
|
@ -946,15 +955,17 @@ public class EmailService implements AutoCloseable {
|
|
|
|
private String server;
|
|
|
|
private String server;
|
|
|
|
private boolean secure;
|
|
|
|
private boolean secure;
|
|
|
|
private boolean ssl_harden;
|
|
|
|
private boolean ssl_harden;
|
|
|
|
|
|
|
|
private boolean ssl_harden_strict;
|
|
|
|
private boolean cert_strict;
|
|
|
|
private boolean cert_strict;
|
|
|
|
private String trustedFingerprint;
|
|
|
|
private String trustedFingerprint;
|
|
|
|
private SSLSocketFactory factory;
|
|
|
|
private SSLSocketFactory factory;
|
|
|
|
private X509Certificate certificate;
|
|
|
|
private X509Certificate certificate;
|
|
|
|
|
|
|
|
|
|
|
|
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
|
|
|
|
SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
|
|
|
|
this.server = host;
|
|
|
|
this.server = host;
|
|
|
|
this.secure = !insecure;
|
|
|
|
this.secure = !insecure;
|
|
|
|
this.ssl_harden = ssl_harden;
|
|
|
|
this.ssl_harden = ssl_harden;
|
|
|
|
|
|
|
|
this.ssl_harden_strict = ssl_harden_strict;
|
|
|
|
this.cert_strict = cert_strict;
|
|
|
|
this.cert_strict = cert_strict;
|
|
|
|
this.trustedFingerprint = fingerprint;
|
|
|
|
this.trustedFingerprint = fingerprint;
|
|
|
|
|
|
|
|
|
|
|
@ -1152,6 +1163,27 @@ public class EmailService implements AutoCloseable {
|
|
|
|
ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites()));
|
|
|
|
ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites()));
|
|
|
|
ciphers.remove("TLS_FALLBACK_SCSV");
|
|
|
|
ciphers.remove("TLS_FALLBACK_SCSV");
|
|
|
|
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
|
|
|
|
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
|
|
|
|
|
|
|
|
} else if (ssl_harden && ssl_harden_strict &&
|
|
|
|
|
|
|
|
!BuildConfig.PLAY_STORE_RELEASE &&
|
|
|
|
|
|
|
|
Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
|
|
|
|
|
|
|
|
// Protocols
|
|
|
|
|
|
|
|
List<String> protocols = new ArrayList<>();
|
|
|
|
|
|
|
|
for (String protocol : sslSocket.getEnabledProtocols())
|
|
|
|
|
|
|
|
if (SSL_PROTOCOL_BLACKLIST_STRICT.contains(protocol))
|
|
|
|
|
|
|
|
Log.i("SSL disabling protocol=" + protocol);
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
protocols.add(protocol);
|
|
|
|
|
|
|
|
sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Ciphers
|
|
|
|
|
|
|
|
List<String> ciphers = new ArrayList<>();
|
|
|
|
|
|
|
|
for (String cipher : sslSocket.getEnabledCipherSuites()) {
|
|
|
|
|
|
|
|
if (SSL_CIPHER_BLACKLIST_STRICT.matcher(cipher).matches())
|
|
|
|
|
|
|
|
Log.i("SSL disabling cipher=" + cipher);
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
ciphers.add(cipher);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
|
|
|
|
} else if (ssl_harden) {
|
|
|
|
} else if (ssl_harden) {
|
|
|
|
// Protocols
|
|
|
|
// Protocols
|
|
|
|
List<String> protocols = new ArrayList<>();
|
|
|
|
List<String> protocols = new ArrayList<>();
|
|
|
|