Added option to disable host name checks

app/src/main/java/eu/faircode/email/EmailService.java

@@ -103,6 +103,7 @@ public class EmailService implements AutoCloseable {
     private boolean ssl_harden;
     private boolean ssl_harden_strict;
     private boolean cert_strict;
+    private boolean check_names;
     private boolean useip;
     private String ehlo;
     private boolean log;
@@ -190,6 +191,7 @@ public class EmailService implements AutoCloseable {
         this.ssl_harden = prefs.getBoolean("ssl_harden", false);
         this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
         this.cert_strict = prefs.getBoolean("cert_strict", true);
+        this.check_names = prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE);
 
         boolean auth_plain = prefs.getBoolean("auth_plain", true);
         boolean auth_login = prefs.getBoolean("auth_login", true);
@@ -449,7 +451,8 @@ public class EmailService implements AutoCloseable {
 
             boolean bc = prefs.getBoolean("bouncy_castle", false);
             boolean fips = prefs.getBoolean("bc_fips", false);
-            factory = new SSLSocketFactoryService(host, insecure, ssl_harden, strict, cert_strict, bc, fips, key, chain, fingerprint);
+            factory = new SSLSocketFactoryService(
+                    host, insecure, ssl_harden, strict, cert_strict, check_names, bc, fips, key, chain, fingerprint);
             properties.put("mail." + protocol + ".ssl.socketFactory", factory);
             properties.put("mail." + protocol + ".socketFactory.fallback", "false");
             properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -1037,7 +1040,7 @@ public class EmailService implements AutoCloseable {
         private X509Certificate certificate;
 
         SSLSocketFactoryService(String host, boolean insecure,
-                                boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict,
+                                boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean check_names,
                                 boolean bc, boolean fips,
                                 PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
             this.server = host;
@@ -1047,7 +1050,7 @@ public class EmailService implements AutoCloseable {
             this.cert_strict = cert_strict;
             this.trustedFingerprint = fingerprint;
 
-            TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, trustedFingerprint,
+            TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, check_names, trustedFingerprint,
                     new SSLHelper.ITrust() {
                         @Override
                         public void checkServerTrusted(X509Certificate[] chain) {

app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java

@@ -100,6 +100,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
     private SwitchCompat swSslHarden;
     private SwitchCompat swSslHardenStrict;
     private SwitchCompat swCertStrict;
+    private SwitchCompat swCheckNames;
     private SwitchCompat swOpenSafe;
     private SwitchCompat swHttpRedirect;
     private SwitchCompat swBouncyCastle;
@@ -123,7 +124,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             "download_headers", "download_eml", "download_plain",
             "require_validated", "require_validated_captive", "vpn_only",
             "timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
-            "ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "open_safe", "http_redirect",
+            "ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "check_names",
+            "open_safe", "http_redirect",
             "bouncy_castle", "bc_fips"
     };
 
@@ -159,6 +161,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
         swSslHarden = view.findViewById(R.id.swSslHarden);
         swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
         swCertStrict = view.findViewById(R.id.swCertStrict);
+        swCheckNames = view.findViewById(R.id.swCheckNames);
         swOpenSafe = view.findViewById(R.id.swOpenSafe);
         swHttpRedirect = view.findViewById(R.id.swHttpRedirect);
         swBouncyCastle = view.findViewById(R.id.swBouncyCastle);
@@ -376,6 +379,13 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             }
         });
 
+        swCheckNames.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
+            @Override
+            public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
+                prefs.edit().putBoolean("check_names", checked).apply();
+            }
+        });
+
         swOpenSafe.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
             @Override
             public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
@@ -691,6 +701,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
             swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false));
             swSslHardenStrict.setEnabled(swSslHarden.isChecked());
             swCertStrict.setChecked(prefs.getBoolean("cert_strict", true));
+            swCheckNames.setChecked(prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE));
             swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
             swHttpRedirect.setChecked(prefs.getBoolean("http_redirect", true));
             swBouncyCastle.setChecked(prefs.getBoolean("bouncy_castle", false));

app/src/main/java/eu/faircode/email/SSLHelper.java

@@ -20,7 +20,8 @@ import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 public class SSLHelper {
-    static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
+    static TrustManager[] getTrustManagers(
+            String server, boolean secure, boolean cert_strict, boolean check_names, String trustedFingerprint, ITrust intf) {
         TrustManagerFactory tmf;
         try {
             tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
@@ -85,6 +86,7 @@ public class SSLHelper {
                     }
 
                     // Check host name
+                    if (check_names) {
                         List<String> names = EntityCertificate.getDnsNames(chain[0]);
                         if (EntityCertificate.matches(server, names))
                             return;
@@ -120,6 +122,7 @@ public class SSLHelper {
                         throw new CertificateException(error);
                     }
                 }
+            }
 
             @Override
             public X509Certificate[] getAcceptedIssuers() {

app/src/main/java/eu/faircode/email/ServiceSynchronize.java

@@ -172,7 +172,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
             "sync_shared_folders",
             "download_headers", "download_eml",
             "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
-            "ssl_harden", "ssl_harden_strict", "cert_strict", "bouncy_castle", "bc_fips", // force reconnect
+            "ssl_harden", "ssl_harden_strict", "cert_strict", "check_names", "bouncy_castle", "bc_fips", // force reconnect
             "experiments", "debug", "protocol", // force reconnect
             "auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
             "keep_alive_poll", "empty_pool", "idle_done", // force reconnect

app/src/main/res/layout/fragment_options_connection.xml

@@ -533,6 +533,18 @@
                     app:layout_constraintStart_toStartOf="parent"
                     app:layout_constraintTop_toBottomOf="@id/swCertStrict" />
 
+                <androidx.appcompat.widget.SwitchCompat
+                    android:id="@+id/swCheckNames"
+                    android:layout_width="0dp"
+                    android:layout_height="wrap_content"
+                    android:layout_marginTop="12dp"
+                    android:checked="true"
+                    android:text="@string/title_advanced_check_names"
+                    app:layout_constraintEnd_toEndOf="parent"
+                    app:layout_constraintStart_toStartOf="parent"
+                    app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint"
+                    app:switchPadding="12dp" />
+
                 <androidx.appcompat.widget.SwitchCompat
                     android:id="@+id/swOpenSafe"
                     android:layout_width="0dp"
@@ -541,7 +553,7 @@
                     android:text="@string/title_advanced_open_safe"
                     app:layout_constraintEnd_toEndOf="parent"
                     app:layout_constraintStart_toStartOf="parent"
-                    app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint"
+                    app:layout_constraintTop_toBottomOf="@id/swCheckNames"
                     app:switchPadding="12dp" />
 
                 <TextView

app/src/main/res/values/strings.xml

@@ -520,6 +520,7 @@
     <string name="title_advanced_ssl_harden">Harden SSL connections</string>
     <string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
     <string name="title_advanced_cert_strict">Strict certificate checking</string>
+    <string name="title_advanced_check_names">Check host names against server certificates</string>
     <string name="title_advanced_open_safe">Open secure connections only</string>
     <string name="title_advanced_http_redirect">Allow connection redirection</string>
     <string name="title_advanced_bouncy_castle">Use Bouncy Castle\'s secure socket provider (JSSE)</string>