Castopod/AntennaPod
1
0
Fork 0
mirror of https://github.com/AntennaPod/AntennaPod.git synced 2025-02-04 12:37:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix TLSv3 sometimes not being enabled

Browse Source
This commit is contained in:
ByteHamster 2022-06-11 18:48:19 +02:00
parent df53c5bfe5
commit 18ecc52dbc
2 changed files with 20 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/NoV1SslSocketFactory.java → net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/AntennaPodSslSocketFactory.java
View File

@ -8,23 +8,24 @@ import java.io.IOException;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.Socket; import java.net.Socket;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
/** /**
* SSLSocketFactory that does not use TLS 1.0 * SSLSocketFactory that does not use TLS 1.0
* This fixes issues with old Android versions that abort if the server does not know TLS 1.0 * This fixes issues with old Android versions that abort if the server does not know TLS 1.0
*/ */
public class NoV1SslSocketFactory extends SSLSocketFactory { public class AntennaPodSslSocketFactory extends SSLSocketFactory {
private SSLSocketFactory factory; private SSLSocketFactory factory;
public NoV1SslSocketFactory(TrustManager trustManager) { public AntennaPodSslSocketFactory(TrustManager trustManager) {
try { try {
SSLContext sslContext; SSLContext sslContext;
if (BuildConfig.FLAVOR.equals("free")) { try {
// Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed.
sslContext = SSLContext.getInstance("TLSv1.3"); sslContext = SSLContext.getInstance("TLSv1.3");
} else { } catch (NoSuchAlgorithmException e) {
// Play flavor (security provider can vary): only TLSv1.2 is guaranteed. e.printStackTrace();
// In the play flavor (security provider can vary), some devices only support TLSv1.2.
sslContext = SSLContext.getInstance("TLSv1.2"); sslContext = SSLContext.getInstance("TLSv1.2");
} }
@ -82,16 +83,13 @@ public class NoV1SslSocketFactory extends SSLSocketFactory {
} }
private void configureSocket(SSLSocket s) { private void configureSocket(SSLSocket s) {
if (BuildConfig.FLAVOR.equals("free")) { // TLS 1.0 is enabled by default on some old systems, which causes connection errors. This disables that.
// Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are try {
// guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled.
s.setEnabledProtocols(new String[]{"TLSv1.3", "TLSv1.2"}); s.setEnabledProtocols(new String[]{"TLSv1.3", "TLSv1.2"});
} else { } catch (IllegalArgumentException e) {
// Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported e.printStackTrace();
// cipher suites may vary. Old protocols might be necessary to keep things working. // In play flavor, supported cipher suites may vary.
// Old protocols might be necessary to keep things working.
// TLS 1.0 is enabled by default on some old systems, which causes connection errors.
// This disables that.
s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" }); s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" });
} }
} }

18
net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java
View File

@ -12,26 +12,20 @@ import java.util.List;
public class SslClientSetup { public class SslClientSetup {
public static void installCertificates(OkHttpClient.Builder builder) { public static void installCertificates(OkHttpClient.Builder builder) {
if (BuildConfig.FLAVOR.equals("free")) {
// The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory
// is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and
// that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled.
X509TrustManager trustManager = BackportTrustManager.create(); X509TrustManager trustManager = BackportTrustManager.create();
builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager); builder.sslSocketFactory(new AntennaPodSslSocketFactory(trustManager), trustManager);
} else if (Build.VERSION.SDK_INT < 21) {
X509TrustManager trustManager = BackportTrustManager.create();
builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager);
ConnectionSpec tlsSpec = ConnectionSpec.MODERN_TLS;
if (BuildConfig.FLAVOR.equals("play") && Build.VERSION.SDK_INT < 21) {
// workaround for Android 4.x for certain web sites. // workaround for Android 4.x for certain web sites.
// see: https://github.com/square/okhttp/issues/4053#issuecomment-402579554 // see: https://github.com/square/okhttp/issues/4053#issuecomment-402579554
List<CipherSuite> cipherSuites = new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites()); List<CipherSuite> cipherSuites = new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites());
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
tlsSpec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
ConnectionSpec legacyTls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.cipherSuites(cipherSuites.toArray(new CipherSuite[0])) .cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
.build(); .build();
builder.connectionSpecs(Arrays.asList(legacyTls, ConnectionSpec.CLEARTEXT)); }
} builder.connectionSpecs(Arrays.asList(tlsSpec, ConnectionSpec.CLEARTEXT));
} }
} }