summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorByteHamster <ByteHamster@users.noreply.github.com>2022-06-18 08:49:48 +0200
committerGitHub <noreply@github.com>2022-06-18 08:49:48 +0200
commit5576ae8560936659c10529a7daf94c90cc6d22d1 (patch)
treecfc6787f8940352ec11a4a45064aa5434d454183
parent3974a2d0a9ddf9f84a694d23c22fcfc07b5a8b3c (diff)
parent18ecc52dbcebd0a1b85f8ab63f5af877be9b505c (diff)
downloadAntennaPod-5576ae8560936659c10529a7daf94c90cc6d22d1.zip
Merge pull request #5940 from ByteHamster/fix-tlsv3
Fix TLSv3 sometimes not being enabled
Diffstat
-rw-r--r--net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/AntennaPodSslSocketFactory.java (renamed from net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/NoV1SslSocketFactory.java)30
-rw-r--r--net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java18
2 files changed, 20 insertions, 28 deletions
diff --git a/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/NoV1SslSocketFactory.java b/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/AntennaPodSslSocketFactory.java
index 0e31cda68..81a327dca 100644
--- a/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/NoV1SslSocketFactory.java
+++ b/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/AntennaPodSslSocketFactory.java
@@ -8,23 +8,24 @@ import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
/**
* SSLSocketFactory that does not use TLS 1.0
* This fixes issues with old Android versions that abort if the server does not know TLS 1.0
*/
-public class NoV1SslSocketFactory extends SSLSocketFactory {
+public class AntennaPodSslSocketFactory extends SSLSocketFactory {
private SSLSocketFactory factory;
- public NoV1SslSocketFactory(TrustManager trustManager) {
+ public AntennaPodSslSocketFactory(TrustManager trustManager) {
try {
SSLContext sslContext;
- if (BuildConfig.FLAVOR.equals("free")) {
- // Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed.
+ try {
sslContext = SSLContext.getInstance("TLSv1.3");
- } else {
- // Play flavor (security provider can vary): only TLSv1.2 is guaranteed.
+ } catch (NoSuchAlgorithmException e) {
+ e.printStackTrace();
+ // In the play flavor (security provider can vary), some devices only support TLSv1.2.
sslContext = SSLContext.getInstance("TLSv1.2");
}
@@ -82,16 +83,13 @@ public class NoV1SslSocketFactory extends SSLSocketFactory {
}
private void configureSocket(SSLSocket s) {
- if (BuildConfig.FLAVOR.equals("free")) {
- // Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are
- // guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled.
- s.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2" });
- } else {
- // Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported
- // cipher suites may vary. Old protocols might be necessary to keep things working.
-
- // TLS 1.0 is enabled by default on some old systems, which causes connection errors.
- // This disables that.
+ // TLS 1.0 is enabled by default on some old systems, which causes connection errors. This disables that.
+ try {
+ s.setEnabledProtocols(new String[]{"TLSv1.3", "TLSv1.2"});
+ } catch (IllegalArgumentException e) {
+ e.printStackTrace();
+ // In play flavor, supported cipher suites may vary.
+ // Old protocols might be necessary to keep things working.
s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" });
}
}
diff --git a/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java b/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java
index 666010d2f..45bae160d 100644
--- a/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java
+++ b/net/ssl/src/main/java/de/danoeh/antennapod/net/ssl/SslClientSetup.java
@@ -12,26 +12,20 @@ import java.util.List;
public class SslClientSetup {
public static void installCertificates(OkHttpClient.Builder builder) {
- if (BuildConfig.FLAVOR.equals("free")) {
- // The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory
- // is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and
- // that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled.
- X509TrustManager trustManager = BackportTrustManager.create();
- builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager);
- } else if (Build.VERSION.SDK_INT < 21) {
- X509TrustManager trustManager = BackportTrustManager.create();
- builder.sslSocketFactory(new NoV1SslSocketFactory(trustManager), trustManager);
+ X509TrustManager trustManager = BackportTrustManager.create();
+ builder.sslSocketFactory(new AntennaPodSslSocketFactory(trustManager), trustManager);
+ ConnectionSpec tlsSpec = ConnectionSpec.MODERN_TLS;
+ if (BuildConfig.FLAVOR.equals("play") && Build.VERSION.SDK_INT < 21) {
// workaround for Android 4.x for certain web sites.
// see: https://github.com/square/okhttp/issues/4053#issuecomment-402579554
List<CipherSuite> cipherSuites = new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites());
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
-
- ConnectionSpec legacyTls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
+ tlsSpec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
.build();
- builder.connectionSpecs(Arrays.asList(legacyTls, ConnectionSpec.CLEARTEXT));
}
+ builder.connectionSpecs(Arrays.asList(tlsSpec, ConnectionSpec.CLEARTEXT));
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-08 23:10:01 +0000