Enable TLSv1.3 by default

9 months ago · 2e4bc7a305
parent 61bcf1bb75
commit 2e4bc7a305
1 changed files with 21 additions and 0 deletions
--- a/app/src/main/java/eu/faircode/email/EmailService.java
+++ b/app/src/main/java/eu/faircode/email/EmailService.java
@ -139,6 +139,10 @@ public class EmailService implements AutoCloseable {

    private static final int APPEND_BUFFER_SIZE = 4 * 1024 * 1024; // bytes

+    private static final List<String> SSL_PROTOCOL_INSECURE = Collections.unmodifiableList(Arrays.asList(
+            "SSLv2", "SSLv3"
+    ));
+
    // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#protocols
    private static final List<String> SSL_PROTOCOL_BLACKLIST = Collections.unmodifiableList(Arrays.asList(
            "SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
@ -1128,6 +1132,8 @@ public class EmailService implements AutoCloseable {
                SSLSocket sslSocket = (SSLSocket) socket;

                if (!secure) {
+                    Log.i("SSL insecure");
+
                    // Protocols
                    sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols());

@ -1139,6 +1145,8 @@ public class EmailService implements AutoCloseable {
                } else if (ssl_harden && ssl_harden_strict &&
                        !BuildConfig.PLAY_STORE_RELEASE &&
                        Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+                    Log.i("SSL harden strict");
+
                    // Protocols
                    List<String> protocols = new ArrayList<>();
                    for (String protocol : sslSocket.getSupportedProtocols())
@ -1158,6 +1166,8 @@ public class EmailService implements AutoCloseable {
                    }
                    sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
                } else if (ssl_harden) {
+                    Log.i("SSL harden");
+
                    // Protocols
                    List<String> protocols = new ArrayList<>();
                    for (String protocol : sslSocket.getSupportedProtocols())
@ -1177,6 +1187,17 @@ public class EmailService implements AutoCloseable {
                    }
                    sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
                } else {
+                    Log.i("SSL default");
+
+                    // Protocols
+                    List<String> protocols = new ArrayList<>();
+                    for (String protocol : sslSocket.getSupportedProtocols())
+                        if (SSL_PROTOCOL_INSECURE.contains(protocol))
+                            Log.i("SSL disabling protocol=" + protocol);
+                        else
+                            protocols.add(protocol);
+                    sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
+
                    // Ciphers
                    List<String> ciphers = new ArrayList<>();
                    ciphers.addAll(Arrays.asList(sslSocket.getEnabledCipherSuites()));