From 2e4bc7a305984180624104dc3b5446a710c1b411 Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Wed, 13 Dec 2023 16:15:33 +0100
Subject: [PATCH] Enable TLSv1.3 by default

---
 .../java/eu/faircode/email/EmailService.java  | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/app/src/main/java/eu/faircode/email/EmailService.java b/app/src/main/java/eu/faircode/email/EmailService.java
index c25570ba7b..b283993143 100644
--- a/app/src/main/java/eu/faircode/email/EmailService.java
+++ b/app/src/main/java/eu/faircode/email/EmailService.java
@@ -139,6 +139,10 @@ public class EmailService implements AutoCloseable {
 
     private static final int APPEND_BUFFER_SIZE = 4 * 1024 * 1024; // bytes
 
+    private static final List<String> SSL_PROTOCOL_INSECURE = Collections.unmodifiableList(Arrays.asList(
+            "SSLv2", "SSLv3"
+    ));
+
     // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#protocols
     private static final List<String> SSL_PROTOCOL_BLACKLIST = Collections.unmodifiableList(Arrays.asList(
             "SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
@@ -1128,6 +1132,8 @@ public class EmailService implements AutoCloseable {
                 SSLSocket sslSocket = (SSLSocket) socket;
 
                 if (!secure) {
+                    Log.i("SSL insecure");
+
                     // Protocols
                     sslSocket.setEnabledProtocols(sslSocket.getSupportedProtocols());
 
@@ -1139,6 +1145,8 @@ public class EmailService implements AutoCloseable {
                 } else if (ssl_harden && ssl_harden_strict &&
                         !BuildConfig.PLAY_STORE_RELEASE &&
                         Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+                    Log.i("SSL harden strict");
+
                     // Protocols
                     List<String> protocols = new ArrayList<>();
                     for (String protocol : sslSocket.getSupportedProtocols())
@@ -1158,6 +1166,8 @@ public class EmailService implements AutoCloseable {
                     }
                     sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
                 } else if (ssl_harden) {
+                    Log.i("SSL harden");
+
                     // Protocols
                     List<String> protocols = new ArrayList<>();
                     for (String protocol : sslSocket.getSupportedProtocols())
@@ -1177,6 +1187,17 @@ public class EmailService implements AutoCloseable {
                     }
                     sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
                 } else {
+                    Log.i("SSL default");
+
+                    // Protocols
+                    List<String> protocols = new ArrayList<>();
+                    for (String protocol : sslSocket.getSupportedProtocols())
+                        if (SSL_PROTOCOL_INSECURE.contains(protocol))
+                            Log.i("SSL disabling protocol=" + protocol);
+                        else
+                            protocols.add(protocol);
+                    sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
+
                     // Ciphers
                     List<String> ciphers = new ArrayList<>();
                     ciphers.addAll(Arrays.asList(sslSocket.getEnabledCipherSuites()));