diff --git a/app/src/main/java/eu/faircode/email/EmailService.java b/app/src/main/java/eu/faircode/email/EmailService.java
index 7ee754eaf5..2545ba20ce 100644
--- a/app/src/main/java/eu/faircode/email/EmailService.java
+++ b/app/src/main/java/eu/faircode/email/EmailService.java
@@ -75,7 +75,6 @@ import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import java.util.Objects;
import java.util.Properties;
import java.util.concurrent.ExecutorService;
import java.util.regex.Pattern;
@@ -106,9 +105,9 @@ public class EmailService implements AutoCloseable {
private Context context;
private String protocol;
private boolean insecure;
- private boolean anchor;
private int purpose;
private boolean harden;
+ private boolean cert_strict;
private boolean useip;
private String ehlo;
private boolean log;
@@ -186,8 +185,8 @@ public class EmailService implements AutoCloseable {
prefs.edit().putBoolean("protocol", false).apply();
this.log = prefs.getBoolean("protocol", false);
this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
- this.anchor = prefs.getBoolean("ssl_anchor", !BuildConfig.PLAY_STORE_RELEASE);
this.harden = prefs.getBoolean("ssl_harden", false);
+ this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
boolean auth_plain = prefs.getBoolean("auth_plain", true);
boolean auth_login = prefs.getBoolean("auth_login", true);
@@ -408,7 +407,7 @@ public class EmailService implements AutoCloseable {
}
}
- factory = new SSLSocketFactoryService(host, insecure, anchor, harden, key, chain, fingerprint);
+ factory = new SSLSocketFactoryService(host, insecure, harden, cert_strict, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -946,17 +945,17 @@ public class EmailService implements AutoCloseable {
// openssl s_client -connect host:port < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
private String server;
private boolean secure;
- private boolean anchor;
private boolean harden;
+ private boolean cert_strict;
private String trustedFingerprint;
private SSLSocketFactory factory;
private X509Certificate certificate;
- SSLSocketFactoryService(String host, boolean insecure, boolean anchor, boolean harden, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
+ SSLSocketFactoryService(String host, boolean insecure, boolean harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
- this.anchor = anchor;
this.harden = harden;
+ this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint;
SSLContext sslContext = SSLContext.getInstance("TLS");
@@ -1003,7 +1002,7 @@ public class EmailService implements AutoCloseable {
if (ex.getCause() instanceof CertPathValidatorException &&
"Trust anchor for certification path not found."
.equals(ex.getCause().getMessage())) {
- if (anchor)
+ if (cert_strict)
throw new CertificateException(principal.getName(), ex);
else
Log.w(ex);
@@ -1019,7 +1018,7 @@ public class EmailService implements AutoCloseable {
return;
// Fallback: check server/certificate IP address
- if (!harden)
+ if (!cert_strict)
try {
InetAddress ip = InetAddress.getByName(server);
for (String name : names) {
diff --git a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
index dcb109b7ae..410f056786 100644
--- a/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
+++ b/app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
@@ -70,8 +70,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swStandaloneVpn;
private SwitchCompat swTcpKeepAlive;
private TextView tvTcpKeepAliveHint;
- private SwitchCompat swSslAnchor;
private SwitchCompat swSslHarden;
+ private SwitchCompat swCertStrict;
private Button btnManage;
private TextView tvNetworkMetered;
private TextView tvNetworkRoaming;
@@ -85,7 +85,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml",
"require_validated", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
- "ssl_anchor", "ssl_harden"
+ "ssl_harden", "cert_strict"
};
@Override
@@ -112,8 +112,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swStandaloneVpn = view.findViewById(R.id.swStandaloneVpn);
swTcpKeepAlive = view.findViewById(R.id.swTcpKeepAlive);
tvTcpKeepAliveHint = view.findViewById(R.id.tvTcpKeepAliveHint);
- swSslAnchor = view.findViewById(R.id.swSslAnchor);
swSslHarden = view.findViewById(R.id.swSslHarden);
+ swCertStrict = view.findViewById(R.id.swCertStrict);
btnManage = view.findViewById(R.id.btnManage);
tvNetworkMetered = view.findViewById(R.id.tvNetworkMetered);
@@ -259,17 +259,17 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
}
});
- swSslAnchor.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+ swSslHarden.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
- prefs.edit().putBoolean("ssl_anchor", checked).apply();
+ prefs.edit().putBoolean("ssl_harden", checked).apply();
}
});
- swSslHarden.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+ swCertStrict.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
- prefs.edit().putBoolean("ssl_harden", checked).apply();
+ prefs.edit().putBoolean("cert_strict", checked).apply();
}
});
@@ -383,8 +383,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swBindSocket.setChecked(prefs.getBoolean("bind_socket", false));
swStandaloneVpn.setChecked(prefs.getBoolean("standalone_vpn", false));
swTcpKeepAlive.setChecked(prefs.getBoolean("tcp_keep_alive", false));
- swSslAnchor.setChecked(prefs.getBoolean("ssl_anchor", !BuildConfig.PLAY_STORE_RELEASE));
swSslHarden.setChecked(prefs.getBoolean("ssl_harden", false));
+ swCertStrict.setChecked(prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE));
}
private static Intent getIntentConnectivity() {
diff --git a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
index fb34dee3e7..3da387c1d6 100644
--- a/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
+++ b/app/src/main/java/eu/faircode/email/ServiceSynchronize.java
@@ -153,7 +153,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_folders",
"sync_shared_folders",
"download_headers", "download_eml",
- "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_anchor", "ssl_harden", // force reconnect
+ "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", "ssl_harden", "cert_strict", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect
diff --git a/app/src/main/res/layout/fragment_options_connection.xml b/app/src/main/res/layout/fragment_options_connection.xml
index ba61a2347d..0177ade025 100644
--- a/app/src/main/res/layout/fragment_options_connection.xml
+++ b/app/src/main/res/layout/fragment_options_connection.xml
@@ -380,50 +380,50 @@
app:layout_constraintTop_toBottomOf="@id/swTcpKeepAlive" />
+ app:layout_constraintTop_toBottomOf="@id/swSslHarden" />
+ app:layout_constraintTop_toBottomOf="@id/swCertStrict" />
+ app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint" />
Bind sockets to the active network
Standalone VPN
TCP keep alive
- Anchor SSL connections
Harden SSL connections
+ Strict certificate checking
Manage connectivity
General
@@ -757,7 +757,7 @@
Enabling this can cause connection problems on some devices
This can result in not synchronizing messages, for example when using a VPN, but also in other situations
The read/write timeout will be set to the double of the connection timeout. Higher values will result in more battery use.
- Enabling this will check the root certificate of server certificate chains
+ Disabling this will relax checking of server certificates
Enabling this will disable weak SSL protocols and ciphers, which can lead to connection problems
Messages headers will always be fetched when roaming. You can use the device\'s roaming setting to disable internet while roaming.