Enable TLS v1.1/1.2 for KitKat devices

This enables modern TLS versions in the collection browser, the Downloader and the Player. This is neccessary because media.ccc.de rejects all older TLS connection attempts, see issue #2777.
2019-12-08 17:09:16 +01:00 · 2019-12-08 17:09:16 +01:00 · c0453065e4
commit c0453065e4
parent 88a6e5981f
3 changed files with 178 additions and 1 deletions
--- a/app/src/main/java/org/schabi/newpipe/util/TLSSocketFactoryCompat.java
+++ b/app/src/main/java/org/schabi/newpipe/util/TLSSocketFactoryCompat.java
@ -0,0 +1,127 @@
+package org.schabi.newpipe.util;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+
+
+/**
+ * This is an extension of the SSLSocketFactory which enables TLS 1.2 and 1.1.
+ * Created for usage on Android 4.1-4.4 devices, which haven't enabled those by default.
+ */
+public class TLSSocketFactoryCompat extends SSLSocketFactory {
+
+
+    private static TLSSocketFactoryCompat instance=null;
+
+    private SSLSocketFactory internalSSLSocketFactory;
+
+    public static TLSSocketFactoryCompat getInstance() throws NoSuchAlgorithmException, KeyManagementException {
+        if(instance!=null)
+            return instance;
+        return instance=new TLSSocketFactoryCompat();
+    }
+
+
+    public TLSSocketFactoryCompat() throws KeyManagementException, NoSuchAlgorithmException {
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(null, null, null);
+        internalSSLSocketFactory = context.getSocketFactory();
+    }
+
+    public TLSSocketFactoryCompat(TrustManager[] tm) throws KeyManagementException, NoSuchAlgorithmException {
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(null, tm, new java.security.SecureRandom());
+        internalSSLSocketFactory = context.getSocketFactory();
+    }
+
+    public static void setAsDefault() {
+        try {
+            HttpsURLConnection.setDefaultSSLSocketFactory(getInstance());
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            e.printStackTrace();
+        }
+    }
+
+    @Override
+    public String[] getDefaultCipherSuites() {
+        return internalSSLSocketFactory.getDefaultCipherSuites();
+    }
+
+    @Override
+    public String[] getSupportedCipherSuites() {
+        return internalSSLSocketFactory.getSupportedCipherSuites();
+    }
+
+    @Override
+    public Socket createSocket() throws IOException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket());
+    }
+
+    @Override
+    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port, autoClose));
+    }
+
+    @Override
+    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
+    }
+
+    @Override
+    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port, localHost, localPort));
+    }
+
+    @Override
+    public Socket createSocket(InetAddress host, int port) throws IOException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
+    }
+
+    @Override
+    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
+        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort));
+    }
+
+    private Socket enableTLSOnSocket(Socket socket) {
+        if(socket != null && (socket instanceof SSLSocket)) {
+            /*
+            //Create list of supported protocols
+            ArrayList<String> supportedProtocols = new ArrayList<>();
+            for (String protocol : ((SSLSocket)socket).getEnabledProtocols()) {
+
+                //Log.d("TLSSocketFactory", "Supported protocol:" + protocol);
+                //Only add TLS protocols (don't want ot support older SSL versions)
+                if (protocol.toUpperCase().contains("TLS")) {
+                    supportedProtocols.add(protocol);
+                }
+            }
+            //Force add TLSv1.1 and 1.2 if not already added
+            if (!supportedProtocols.contains("TLSv1.1")) {
+                supportedProtocols.add("TLSv1.1");
+            }
+            if (!supportedProtocols.contains("TLSv1.2")) {
+                supportedProtocols.add("TLSv1.2");
+            }
+
+            String[] protocolArray = supportedProtocols.toArray(new String[supportedProtocols.size()]);
+
+            //enable protocols in our list
+            //((SSLSocket)socket).setEnabledProtocols(protocolArray);
+            */
+            // OR: only enable TLS 1.1 and 1.2!
+            ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
+
+        }
+        return socket;
+    }
+}