Added option to disable host name checks

2026-03-31 14:17:03 +02:00 · 2023-12-20 10:24:53 +01:00
parent db105290a8
commit d78ad87c5f
6 changed files with 65 additions and 35 deletions
--- a/app/src/main/java/eu/faircode/email/SSLHelper.java
+++ b/app/src/main/java/eu/faircode/email/SSLHelper.java
@@ -20,7 +20,8 @@ import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;

 public class SSLHelper {
-    static TrustManager[] getTrustManagers(String server, boolean secure, boolean cert_strict, String trustedFingerprint, ITrust intf) {
+    static TrustManager[] getTrustManagers(
+            String server, boolean secure, boolean cert_strict, boolean check_names, String trustedFingerprint, ITrust intf) {
        TrustManagerFactory tmf;
        try {
            tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
@@ -85,39 +86,41 @@ public class SSLHelper {
                    }

                    // Check host name
-                    List<String> names = EntityCertificate.getDnsNames(chain[0]);
-                    if (EntityCertificate.matches(server, names))
-                        return;
+                    if (check_names) {
+                        List<String> names = EntityCertificate.getDnsNames(chain[0]);
+                        if (EntityCertificate.matches(server, names))
+                            return;

-                    // Fallback: check server/certificate IP address
-                    if (!cert_strict)
-                        try {
-                            InetAddress ip = InetAddress.getByName(server);
-                            Log.i("Checking server ip=" + ip);
-                            for (String name : names) {
-                                if (name.startsWith("*."))
-                                    name = name.substring(2);
-                                Log.i("Checking cert name=" + name);
+                        // Fallback: check server/certificate IP address
+                        if (!cert_strict)
+                            try {
+                                InetAddress ip = InetAddress.getByName(server);
+                                Log.i("Checking server ip=" + ip);
+                                for (String name : names) {
+                                    if (name.startsWith("*."))
+                                        name = name.substring(2);
+                                    Log.i("Checking cert name=" + name);

-                                try {
-                                    for (InetAddress addr : InetAddress.getAllByName(name))
-                                        if (Arrays.equals(ip.getAddress(), addr.getAddress())) {
-                                            Log.i("Accepted " + name + " for " + server);
-                                            return;
-                                        }
-                                } catch (UnknownHostException ex) {
-                                    Log.w(ex);
+                                    try {
+                                        for (InetAddress addr : InetAddress.getAllByName(name))
+                                            if (Arrays.equals(ip.getAddress(), addr.getAddress())) {
+                                                Log.i("Accepted " + name + " for " + server);
+                                                return;
+                                            }
+                                    } catch (UnknownHostException ex) {
+                                        Log.w(ex);
+                                    }
                                }
+                            } catch (UnknownHostException ex) {
+                                Log.w(ex);
+                            } catch (Throwable ex) {
+                                Log.e(ex);
                            }
-                        } catch (UnknownHostException ex) {
-                            Log.w(ex);
-                        } catch (Throwable ex) {
-                            Log.e(ex);
-                        }

-                    String error = server + " not in certificate: " + TextUtils.join(",", names);
-                    Log.i(error);
-                    throw new CertificateException(error);
+                        String error = server + " not in certificate: " + TextUtils.join(",", names);
+                        Log.i(error);
+                        throw new CertificateException(error);
+                    }
                }
            }