Added optional BC JSSE provider

app/build.gradle

@@ -716,6 +716,7 @@ dependencies {
     // https://www.bouncycastle.org/latest_releases.html
     // https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on
     implementation "org.bouncycastle:bcpkix-jdk15to18:$bouncycastle_version"
+    implementation "org.bouncycastle:bctls-jdk15to18:$bouncycastle_version"
 
     // https://github.com/openid/AppAuth-Android
     // https://mvnrepository.com/artifact/net.openid/appauth

app/src/main/java/eu/faircode/email/EmailService.java

@@ -46,6 +46,8 @@ import com.sun.mail.util.MailConnectException;
 import com.sun.mail.util.SocketConnectException;
 import com.sun.mail.util.TraceOutputStream;
 
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
@@ -445,7 +447,8 @@ public class EmailService implements AutoCloseable {
                     }
                 }
 
-            factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, key, chain, fingerprint);
+            boolean bc = prefs.getBoolean("bouncy_castle", false);
+            factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, key, chain, fingerprint);
             properties.put("mail." + protocol + ".ssl.socketFactory", factory);
             properties.put("mail." + protocol + ".socketFactory.fallback", "false");
             properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -1035,7 +1038,7 @@ public class EmailService implements AutoCloseable {
         private SSLSocketFactory factory;
         private X509Certificate certificate;
 
-        SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
+        SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean bc, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
             this.server = host;
             this.secure = !insecure;
             this.ssl_harden = ssl_harden;
@@ -1044,7 +1047,13 @@ public class EmailService implements AutoCloseable {
             this.trustedFingerprint = fingerprint;
 
             // https://developer.android.com/about/versions/oreo/android-8.0-changes.html#security-all
-            SSLContext sslContext = SSLContext.getInstance(insecure ? "SSL" : "TLS");
+            SSLContext sslContext;
+            String protocol = (insecure ? "SSL" : "TLS");
+            if (bc)
+                sslContext = SSLContext.getInstance(protocol, new BouncyCastleJsseProvider());
+            else
+                sslContext = SSLContext.getInstance(protocol);
+            Log.i("Using protocol=" + protocol + " bc=" + bc);
 
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
             tmf.init((KeyStore) null);

app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java

@@ -92,6 +92,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
     private SwitchCompat swSslHardenStrict;
     private SwitchCompat swCertStrict;
     private SwitchCompat swOpenSafe;
+    private SwitchCompat swBouncyCastle;
     private Button btnManage;
     private TextView tvNetworkMetered;
     private TextView tvNetworkRoaming;
@@ -110,7 +111,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             "download_headers", "download_eml", "download_plain",
             "require_validated", "require_validated_captive", "vpn_only",
             "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
-            "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe"
+            "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "bouncy_castle"
     };
 
     @Override
@@ -144,6 +145,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
         swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
         swCertStrict = view.findViewById(R.id.swCertStrict);
         swOpenSafe = view.findViewById(R.id.swOpenSafe);
+        swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
         btnManage = view.findViewById(R.id.btnManage);
 
         tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@@ -348,6 +350,13 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             }
         });
 
+        swBouncyCastle.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+            @Override
+            public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
+                prefs.edit().putBoolean("bouncy_castle", checked).apply();
+            }
+        });
+
         final Intent manage = getIntentConnectivity();
         PackageManager pm = getContext().getPackageManager();
         btnManage.setVisibility(
@@ -609,6 +618,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             swSslHardenStrict.setEnabled(swSslHarden.isChecked());
             swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
             swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
+            swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));
         } catch (Throwable ex) {
             Log.e(ex);
         }

app/src/main/java/eu/faircode/email/Log.java

@@ -124,6 +124,7 @@ import com.sun.mail.util.MailConnectException;
 import net.openid.appauth.AuthState;
 import net.openid.appauth.TokenResponse;
 
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
 import org.json.JSONException;
 import org.json.JSONObject;
 
@@ -3613,10 +3614,13 @@ public class Log {
     static SpannableStringBuilder getCiphers() {
         SpannableStringBuilder ssb = new SpannableStringBuilderEx();
 
+        for (Provider provider : new Provider[]{null, new BouncyCastleJsseProvider()})
             for (String protocol : new String[]{"SSL", "TLS"})
                 try {
                     int begin = ssb.length();
-                ssb.append("Protocol: ").append(protocol);
+                    ssb.append("Protocol: ").append(protocol)
+                            .append(" ")
+                            .append(provider == null ? "Android" : provider.getClass().getSimpleName());
                     ssb.setSpan(new StyleSpan(Typeface.BOLD), begin, ssb.length(), 0);
                     ssb.append("\r\n\r\n");
 
@@ -3631,7 +3635,10 @@ public class Log {
                         for (TrustManager tm : tms)
                             ssb.append("Manager: ").append(tm.getClass().getName()).append("\r\n");
 
-                SSLContext sslContext = SSLContext.getInstance(protocol);
+                    SSLContext sslContext = (provider == null
+                            ? SSLContext.getInstance(protocol)
+                            : SSLContext.getInstance(protocol, provider));
+
 
                     ssb.append("Context: ").append(sslContext.getProtocol()).append("\r\n\r\n");
 

app/src/main/java/eu/faircode/email/ServiceSynchronize.java

@@ -170,7 +170,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
             "sync_folders",
             "sync_shared_folders",
             "download_headers", "download_eml",
-            "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", // force reconnect
+            "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", // force reconnect
             "experiments", "debug", "protocol", // force reconnect
             "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
             "keep_alive_poll", "empty_pool", "idle_done", // force reconnect

app/src/main/res/layout/fragment_options_connection.xml

@@ -519,6 +519,17 @@
                     app:layout_constraintStart_toStartOf="parent"
                     app:layout_constraintTop_toBottomOf="@id/swOpenSafe" />
 
+                <androidx.appcompat.widget.SwitchCompat
+                    android:id="@+id/swBouncyCastle"
+                    android:layout_width="0dp"
+                    android:layout_height="wrap_content"
+                    android:layout_marginTop="12dp"
+                    android:text="@string/title_advanced_bouncy_castle"
+                    app:layout_constraintEnd_toEndOf="parent"
+                    app:layout_constraintStart_toStartOf="parent"
+                    app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint"
+                    app:switchPadding="12dp" />
+
                 <Button
                     android:id="@+id/btnManage"
                     style="?android:attr/buttonStyleSmall"
@@ -529,7 +540,7 @@
                     android:drawablePadding="6dp"
                     android:text="@string/title_advanced_manage_connectivity"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/tvOpenSafeHint" />
+                    app:layout_constraintTop_toBottomOf="@id/swBouncyCastle" />
 
                 <TextView
                     android:id="@+id/tvNetworkMetered"

app/src/main/res/values/strings.xml

@@ -517,6 +517,7 @@
     <string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
     <string name="title_advanced_cert_strict">Strict certificate checking</string>
     <string name="title_advanced_open_safe">Open secure connections only</string>
+    <string name="title_advanced_bouncy_castle">Bouncy Castle</string>
     <string name="title_advanced_manage_connectivity">Manage connectivity</string>
 
     <string name="title_advanced_caption_general">General</string>