Set OkHttp protocols to TLSv1.2 and TLSv1.3 only

thanhminhmr · thanhminhmr · commit 80d5a005eb8b · 2025-04-05T19:38:55.000+07:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -43,6 +43,7 @@ dependencies {
 
 	implementation(libs.commons.text)
 
+	implementation(libs.conscrypt.android)
 	implementation(libs.okhttp)
 	implementation(libs.netcipher.webkit)
 	implementation(libs.media3.exoplayer)
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -20,6 +20,7 @@ androidx-swiperefreshlayout = "1.1.0"
 checkstyle = "10.17.0"
 commons-lang = "3.17.0"
 commons-text = "1.13.0"
+conscrypt-android = "2.5.3"
 google-flexbox = "3.0.0"
 google-material = "1.12.0"
 jackson = "2.18.3"
@@ -53,6 +54,7 @@ androidx-swiperefreshlayout = { module = "androidx.swiperefreshlayout:swiperefre
 
 commons-lang = { module = "org.apache.commons:commons-lang3", version.ref = "commons-lang" }
 commons-text = { module = "org.apache.commons:commons-text", version.ref = "commons-text" }
+conscrypt-android = { module = "org.conscrypt:conscrypt-android", version.ref = "conscrypt-android" }
 google-flexbox = { module = "com.google.android.flexbox:flexbox", version.ref = "google-flexbox" }
 google-material = { module = "com.google.android.material:material", version.ref = "google-material" }
 jackson-core = { module = "com.fasterxml.jackson.core:jackson-core", version.ref = "jackson" }
diff --git a/src/main/java/org/quantumbadger/redreader/http/InternalSSLSocketFactory.java b/src/main/java/org/quantumbadger/redreader/http/InternalSSLSocketFactory.java
@@ -17,77 +17,84 @@
 
 package org.quantumbadger.redreader.http;
 
-import androidx.annotation.NonNull;
-
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
 
-public class LegacyTLSSocketFactory extends SSLSocketFactory {
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
 
-	private static final String[] TLS_V1_2_ONLY = {"TLSv1.2"};
+public final class InternalSSLSocketFactory extends SSLSocketFactory {
+	private static final String[] ENABLED_PROTOCOLS = {"TLSv1.2", "TLSv1.3"};
 
-	private final SSLSocketFactory delegate;
+	private final SSLSocketFactory sslSocketFactory;
 
-	public LegacyTLSSocketFactory(@NonNull final SSLSocketFactory base) {
-		this.delegate = base;
+	public InternalSSLSocketFactory(final SSLSocketFactory sslSocketFactory) {
+		this.sslSocketFactory = sslSocketFactory;
 	}
 
 	@Override
 	public String[] getDefaultCipherSuites() {
-		return delegate.getDefaultCipherSuites();
+		return sslSocketFactory.getDefaultCipherSuites();
 	}
 
 	@Override
 	public String[] getSupportedCipherSuites() {
-		return delegate.getSupportedCipherSuites();
+		return sslSocketFactory.getSupportedCipherSuites();
+	}
+
+	@Override
+	public Socket createSocket() throws IOException {
+		return enableTLSOnSocket(sslSocketFactory.createSocket());
 	}
 
 	@Override
 	public Socket createSocket(
-			final Socket s,
+			final Socket socket,
 			final String host,
 			final int port,
-			final boolean autoClose) throws IOException {
-		return enableTLS1_2(delegate.createSocket(s, host, port, autoClose));
+			final boolean autoClose
+	) throws IOException {
+		return enableTLSOnSocket(sslSocketFactory.createSocket(socket, host, port, autoClose));
 	}
 
 	@Override
 	public Socket createSocket(final String host, final int port) throws IOException {
-		return enableTLS1_2(delegate.createSocket(host, port));
+		return enableTLSOnSocket(sslSocketFactory.createSocket(host, port));
 	}
 
 	@Override
 	public Socket createSocket(
 			final String host,
 			final int port,
 			final InetAddress localHost,
-			final int localPort) throws IOException {
-		return enableTLS1_2(delegate.createSocket(host, port, localHost, localPort));
+			final int localPort
+	) throws IOException {
+		return enableTLSOnSocket(sslSocketFactory.createSocket(host, port, localHost, localPort));
 	}
 
 	@Override
-	public Socket createSocket(
-			final InetAddress host,
-			final int port) throws IOException {
-		return enableTLS1_2(delegate.createSocket(host, port));
+	public Socket createSocket(final InetAddress host, final int port) throws IOException {
+		return enableTLSOnSocket(sslSocketFactory.createSocket(host, port));
 	}
 
 	@Override
 	public Socket createSocket(
 			final InetAddress address,
 			final int port,
 			final InetAddress localAddress,
-			final int localPort) throws IOException {
-		return enableTLS1_2(delegate.createSocket(address, port, localAddress, localPort));
+			final int localPort
+	) throws IOException {
+		return enableTLSOnSocket(
+				sslSocketFactory.createSocket(address, port, localAddress, localPort)
+		);
 	}
 
-	private Socket enableTLS1_2(final Socket s) {
-		if (s instanceof SSLSocket) {
-			((SSLSocket)s).setEnabledProtocols(TLS_V1_2_ONLY);
+	private Socket enableTLSOnSocket(final Socket socket) {
+		if (socket instanceof SSLSocket) {
+			final SSLSocket sslSocket = (SSLSocket) socket;
+			sslSocket.setEnabledProtocols(ENABLED_PROTOCOLS);
 		}
-		return s;
+		return socket;
 	}
 }
diff --git a/src/main/java/org/quantumbadger/redreader/http/okhttp/OKHTTPBackend.kt b/src/main/java/org/quantumbadger/redreader/http/okhttp/OKHTTPBackend.kt
@@ -22,13 +22,15 @@ import android.util.Log
 import okhttp3.CacheControl
 import okhttp3.Call
 import okhttp3.ConnectionPool
+import okhttp3.ConnectionSpec
 import okhttp3.Cookie
 import okhttp3.CookieJar
 import okhttp3.HttpUrl
 import okhttp3.MediaType.Companion.toMediaType
 import okhttp3.MultipartBody
 import okhttp3.OkHttpClient
 import okhttp3.RequestBody.Companion.toRequestBody
+import org.conscrypt.Conscrypt
 import org.quantumbadger.redreader.cache.CacheRequest
 import org.quantumbadger.redreader.common.Constants
 import org.quantumbadger.redreader.common.General.getGeneralErrorForFailure
@@ -41,23 +43,44 @@ import org.quantumbadger.redreader.common.TorCommon
 import org.quantumbadger.redreader.common.UriString
 import org.quantumbadger.redreader.http.FailedRequestBody
 import org.quantumbadger.redreader.http.HTTPBackend
+import org.quantumbadger.redreader.http.InternalSSLSocketFactory
 import org.quantumbadger.redreader.http.body.HTTPRequestBody
 import org.quantumbadger.redreader.http.body.multipart.Part
 import java.io.IOException
 import java.io.InputStream
 import java.net.InetSocketAddress
 import java.net.Proxy
+import java.security.Provider
+import java.security.Security
 import java.util.Locale
 import java.util.concurrent.TimeUnit
 import java.util.concurrent.atomic.AtomicBoolean
 import java.util.concurrent.atomic.AtomicReference
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManager
 import okhttp3.Request as OkHTTPRequest
 
 class OKHTTPBackend private constructor() : HTTPBackend() {
 	private val mClient: OkHttpClient
 
 	init {
+		// Init Conscrypt
+		val conscrypt: Provider = Conscrypt.newProvider()
+
+		// Add as provider
+		Security.insertProviderAt(conscrypt, 1)
+
 		val builder: OkHttpClient.Builder = OkHttpClient.Builder()
+			.connectionSpecs(listOf(ConnectionSpec.RESTRICTED_TLS))
+
+		try {
+			val tm = Conscrypt.getDefaultX509TrustManager()
+			val sslContext: SSLContext = SSLContext.getInstance("TLS", conscrypt)
+			sslContext.init(null, arrayOf<TrustManager>(tm), null)
+			builder.sslSocketFactory(InternalSSLSocketFactory(sslContext.socketFactory), tm)
+		} catch (e: java.lang.Exception) {
+			e.printStackTrace()
+		}
 
 		// Here we set the over18 cookie if needed, and return it whenever the url contains search
 		// this is necessary to get the reddit API to return NSFW search results
