diff options
author | H. Lehmann <ByteHamster@users.noreply.github.com> | 2020-10-04 15:21:18 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-04 15:21:18 +0200 |
commit | e1ff4c8763c604c014a62c4c4905737cb92ebebb (patch) | |
tree | e689fad58a58f0aad36d879d9500238d2c9e44ed /core/src/main/java | |
parent | af1a6a7ef92ed0ab6061c803f94bd22ad17a6243 (diff) | |
parent | 06d212b911af1ce54e03c63bad69b99e938cb430 (diff) | |
download | AntennaPod-e1ff4c8763c604c014a62c4c4905737cb92ebebb.zip |
Merge pull request #4077 from Slinger/conscrypt_bundle2.0.1
Bundle a modern Security Provider (Conscrypt) in the Free builds.
Diffstat (limited to 'core/src/main/java')
-rw-r--r-- | core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java b/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java index e0c23bdac..807af0a3f 100644 --- a/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java +++ b/core/src/main/java/de/danoeh/antennapod/core/service/download/AntennapodHttpClient.java @@ -34,6 +34,7 @@ import javax.net.ssl.X509TrustManager; import de.danoeh.antennapod.core.preferences.UserPreferences; import de.danoeh.antennapod.core.service.UserAgentInterceptor; import de.danoeh.antennapod.core.storage.DBWriter; +import de.danoeh.antennapod.core.util.Flavors; import okhttp3.Cache; import okhttp3.CipherSuite; import okhttp3.ConnectionSpec; @@ -149,7 +150,16 @@ public class AntennapodHttpClient { }); } } - if (Build.VERSION.SDK_INT < 21) { + + if (Flavors.FLAVOR == Flavors.FREE) { + // The Free flavor bundles a modern conscrypt (security provider), so CustomSslSocketFactory + // is only used to make sure that modern protocols (TLSv1.3 and TLSv1.2) are enabled and + // that old, deprecated, protocols (like SSLv3, TLSv1.0 and TLSv1.1) are disabled. + builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager()); + } else if (Build.VERSION.SDK_INT < 21) { + // The Play flavor can not be assumed to have a modern security provider, so for Android + // older than 5.0 CustomSslSocketFactory is used to enable all possible protocols (modern + // and deprecated). And we explicitly enable deprecated cipher suites disabled by default. builder.sslSocketFactory(new CustomSslSocketFactory(), trustManager()); // workaround for Android 4.x for certain web sites. @@ -178,6 +188,9 @@ public class AntennapodHttpClient { } } + /** + * Reimplements default trust manager (required for calling sslSocketFactory). + */ private static X509TrustManager trustManager() { try { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( @@ -199,13 +212,26 @@ public class AntennapodHttpClient { AntennapodHttpClient.cacheDirectory = cacheDirectory; } + /** + * Used to disable deprecated protocols and explicitly enable TLSv1.3 and TLSv1.2, or to enable + * all protocols (including deprecated) up to TLSv1.2, depending on build flavor (Free or Play). + */ private static class CustomSslSocketFactory extends SSLSocketFactory { private SSLSocketFactory factory; public CustomSslSocketFactory() { try { - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + SSLContext sslContext; + + if (Flavors.FLAVOR == Flavors.FREE) { + // Free flavor (bundles modern conscrypt): support for TLSv1.3 is guaranteed. + sslContext = SSLContext.getInstance("TLSv1.3"); + } else { + // Play flavor (security provider can vary): only TLSv1.2 is guaranteed. + sslContext = SSLContext.getInstance("TLSv1.2"); + } + sslContext.init(null, null, null); factory= sslContext.getSocketFactory(); } catch(GeneralSecurityException e) { @@ -260,7 +286,15 @@ public class AntennapodHttpClient { } private void configureSocket(SSLSocket s) { - s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" } ); + if (Flavors.FLAVOR == Flavors.FREE) { + // Free flavor (bundles modern conscrypt): TLSv1.3 and modern cipher suites are + // guaranteed. Protocols older than TLSv1.2 are now deprecated and can be disabled. + s.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2" }); + } else { + // Play flavor (security provider can vary): only TLSv1.2 is guaranteed, supported + // cipher suites may vary. Old protocols might be necessary to keep things working. + s.setEnabledProtocols(new String[] { "TLSv1.2", "TLSv1.1", "TLSv1" }); + } } } |