Added option to require TLS 1.3

app/src/main/java/eu/faircode/email/EmailService.java

@@ -104,6 +104,7 @@ public class EmailService implements AutoCloseable {
     private boolean insecure;
     private int purpose;
     private boolean ssl_harden;
+    private boolean ssl_harden_strict;
     private boolean cert_strict;
     private boolean useip;
     private String ehlo;
@@ -149,10 +150,17 @@ public class EmailService implements AutoCloseable {
             "SSLv2", "SSLv3", "TLSv1", "TLSv1.1"
     ));
 
+    private static final List<String> SSL_PROTOCOL_BLACKLIST_STRICT = Collections.unmodifiableList(Arrays.asList(
+            "SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"
+    ));
+
     // https://developer.android.com/reference/javax/net/ssl/SSLSocket.html#cipher-suites
     private static final Pattern SSL_CIPHER_BLACKLIST =
             Pattern.compile(".*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV).*");
 
+    private static final Pattern SSL_CIPHER_BLACKLIST_STRICT =
+            Pattern.compile("(.*(_DES|DH_|DSS|EXPORT|MD5|NULL|RC4|TLS_FALLBACK_SCSV|RSA).*)|(.*SHA$)");
+
     // TLS_FALLBACK_SCSV https://tools.ietf.org/html/rfc7507
     // TLS_EMPTY_RENEGOTIATION_INFO_SCSV https://tools.ietf.org/html/rfc5746
 
@@ -183,6 +191,7 @@ public class EmailService implements AutoCloseable {
         this.log = prefs.getBoolean("protocol", false);
         this.level = prefs.getInt("log_level", Log.getDefaultLogLevel());
         this.ssl_harden = prefs.getBoolean("ssl_harden", false);
+        this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
         this.cert_strict = prefs.getBoolean("cert_strict", !BuildConfig.PLAY_STORE_RELEASE);
 
         boolean auth_plain = prefs.getBoolean("auth_plain", true);
@@ -421,7 +430,7 @@ public class EmailService implements AutoCloseable {
                 }
             }
 
-            factory = new SSLSocketFactoryService(host, insecure, ssl_harden, cert_strict, key, chain, fingerprint);
+            factory = new SSLSocketFactoryService(host, insecure, ssl_harden, ssl_harden_strict, cert_strict, key, chain, fingerprint);
             properties.put("mail." + protocol + ".ssl.socketFactory", factory);
             properties.put("mail." + protocol + ".socketFactory.fallback", "false");
             properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@@ -946,15 +955,17 @@ public class EmailService implements AutoCloseable {
         private String server;
         private boolean secure;
         private boolean ssl_harden;
+        private boolean ssl_harden_strict;
         private boolean cert_strict;
         private String trustedFingerprint;
         private SSLSocketFactory factory;
         private X509Certificate certificate;
 
-        SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
+        SSLSocketFactoryService(String host, boolean insecure, boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
             this.server = host;
             this.secure = !insecure;
             this.ssl_harden = ssl_harden;
+            this.ssl_harden_strict = ssl_harden_strict;
             this.cert_strict = cert_strict;
             this.trustedFingerprint = fingerprint;
 
@@ -1152,6 +1163,27 @@ public class EmailService implements AutoCloseable {
                     ciphers.addAll(Arrays.asList(sslSocket.getSupportedCipherSuites()));
                     ciphers.remove("TLS_FALLBACK_SCSV");
                     sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
+                } else if (ssl_harden && ssl_harden_strict &&
+                        !BuildConfig.PLAY_STORE_RELEASE &&
+                        Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+                    // Protocols
+                    List<String> protocols = new ArrayList<>();
+                    for (String protocol : sslSocket.getEnabledProtocols())
+                        if (SSL_PROTOCOL_BLACKLIST_STRICT.contains(protocol))
+                            Log.i("SSL disabling protocol=" + protocol);
+                        else
+                            protocols.add(protocol);
+                    sslSocket.setEnabledProtocols(protocols.toArray(new String[0]));
+
+                    // Ciphers
+                    List<String> ciphers = new ArrayList<>();
+                    for (String cipher : sslSocket.getEnabledCipherSuites()) {
+                        if (SSL_CIPHER_BLACKLIST_STRICT.matcher(cipher).matches())
+                            Log.i("SSL disabling cipher=" + cipher);
+                        else
+                            ciphers.add(cipher);
+                    }
+                    sslSocket.setEnabledCipherSuites(ciphers.toArray(new String[0]));
                 } else if (ssl_harden) {
                     // Protocols
                     List<String> protocols = new ArrayList<>();