Merge pull request #5940 from ByteHamster/fix-tlsv3

Fix TLSv3 sometimes not being enabled

net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/AntennaPodSslSocketFactory.java

@@ -8,23 +8,24 @@ import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
 import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
 
 /**
  * SSLSocketFactory that does not use TLS 1.0
  * This fixes issues with old Android versions that abort if the server does not know TLS 1.0
  */
-public class NoV1SslSocketFactory extends SSLSocketFactory {
+public class AntennaPodSslSocketFactory extends SSLSocketFactory {
     private SSLSocketFactory factory;
 
-    public NoV1SslSocketFactory(TrustManager trustManager) {
+    public AntennaPodSslSocketFactory(TrustManager trustManager) {
         try {
             SSLContext sslContext;
 
-            if (BuildConfig.FLAVOR.equals("free")) {
-                // Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed.
+            try {
                 sslContext = SSLContext.getInstance("TLSv1.3");
-            } else {
-                // Play flavor (security provider can vary): only TLSv1.2 is guaranteed.
+            } catch (NoSuchAlgorithmException e) {
+                e.printStackTrace();
+                // In the play flavor (security provider can vary), some devices only support TLSv1.2.
                 sslContext = SSLContext.getInstance("TLSv1.2");
             }
 
@@ -82,16 +83,13 @@ public class NoV1SslSocketFactory extends SSLSocketFactory {
     }
 
     private void configureSocket(SSLSocket s) {
-        if (BuildConfig.FLAVOR.equals("free")) {
-            // Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are
-            // guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled.
-            s.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2" });
-        } else {
-            // Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported
-            // cipher suites may vary. Old protocols might be necessary to keep things working.
-
-            // TLS 1.0 is enabled by default on some old systems, which causes connection errors.
-            // This disables that.
+        // TLS 1.0 is enabled by default on some old systems, which causes connection errors. This disables that.
+        try {
+            s.setEnabledProtocols(new String[]{"TLSv1.3", "TLSv1.2"});
+        } catch (IllegalArgumentException e) {
+            e.printStackTrace();
+            // In play flavor, supported cipher suites may vary.
+            // Old protocols might be necessary to keep things working.
             s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" });
         }
     }

net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java

@@ -12,26 +12,20 @@ import java.util.List;
 
 public class SslClientSetup {
     public static void installCertificates(OkHttpClient.Builder builder) {
-        if (BuildConfig.FLAVOR.equals("free")) {
-            // The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory
-            // is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and
-            // that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled.
-            X509TrustManager trustManager = BackportTrustManager.create();
-            builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager);
-        } else if (Build.VERSION.SDK_INT < 21) {
-            X509TrustManager trustManager = BackportTrustManager.create();
-            builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager);
+        X509TrustManager trustManager = BackportTrustManager.create();
+        builder.sslSocketFactory(new AntennaPodSslSocketFactory(trustManager), trustManager);
 
+        ConnectionSpec tlsSpec = ConnectionSpec.MODERN_TLS;
+        if (BuildConfig.FLAVOR.equals("play") && Build.VERSION.SDK_INT < 21) {
             // workaround for Android 4.x for certain web sites.
             // see: https://github.com/square/okhttp/issues/4053#issuecomment-402579554
             List<CipherSuite> cipherSuites = new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites());
             cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
             cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
-
-            ConnectionSpec legacyTls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
+            tlsSpec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                     .cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
                     .build();
-            builder.connectionSpecs(Arrays.asList(legacyTls, ConnectionSpec.CLEARTEXT));
         }
+        builder.connectionSpecs(Arrays.asList(tlsSpec, ConnectionSpec.CLEARTEXT));
     }
 }