1
0
mirror of https://github.com/moparisthebest/k-9 synced 2024-11-16 22:45:04 -05:00
Commit Graph

1551 Commits

Author SHA1 Message Date
Joe Steele
b557ba008c Implement SMTP AUTH EXTERNAL
Also, simplify by using Utility.base64Encode(String) in lieu of
new String(Base64.encodeBase64(String.getBytes())
2014-08-11 11:07:53 -04:00
Joe Steele
65144e3759 Handle client certificate errors
If the alias is empty or null, don't bother using KeyChainKeyManager.

If the alias is not empty, confirm that it is associated with a
certificate, otherwise throw a CertificateValidationException
which will notify the user of the problem and ask the user to
check the server settings.

Likewise, the user is notified if the client certificate was
not accepted by the server.
2014-08-11 11:07:48 -04:00
Joe Steele
21cc3d9176 Remove ClientCertificateRequiredException
With this commit, KeyChainKeyManager no longer throws the exception and
AccountSetupCheckSettings no longer catches it.

It was being thrown when the server requested a client certificate but no
client certificate alias had been configured for the server.

The code was making the incorrect assumption that the server would only
request a client certificate when such a certificate was *required*.
However, servers can be configured to accept multiple forms of
authentication, including both password authentication and client
certificate authentication.  So a server may request a certificate without
requiring it.  If a user has not configured a client certificate, then
that should not be treated as an error because the configuration may be
valid and the server may accept it.

The only indication that a certificate is *required* is when a
SSLProtocolException is thrown, caused by a SSLHandshakeException
resulting from a fatal handshake alert message received from the server.
Unfortunately, such a message is fairly generic and only "indicates that
the sender was unable to negotiate an acceptable set of security
parameters given the options available."  So there is no definitive way to
know that a client certificate is required.

Also, KeyChainKeyManager.getCertificateChain() and getPrivateKey() no
longer throw IllegalStateException().  These methods are permitted to
return null, and such a response is appropriate if the user has deleted
client certificates from the device.  Again, this may or may not cause the
server to abort the connection, depending on whether the server *requires*
a client certificate.
2014-08-11 11:07:44 -04:00
Joe Steele
fa853f7e1d Remove SslHelper.isClientCertificateSupportAvailable()
The app's minSdkVersion = 15 (Android 4.0.3, Ice Cream Sandwich MR1),
so there's no need to test the API level.

This also removes '@SuppressLint("TrulyRandom")'.  I find no
documentation for it, nor do I find any additional lint errors
with its removal.
2014-08-11 11:07:42 -04:00
Joe Steele
0224a89109 Use theme based style 2014-08-11 11:07:38 -04:00
Joe Steele
acab554ee5 Save/Restore activity state
This assures that changes made to the port setting and to the chosen
client certificate are saved and restored.
2014-08-11 11:07:34 -04:00
Joe Steele
373c7569ed Fix password prompts on account import
Don't prompt if server's AuthType == EXTERNAL

Don't prompt for SMTP servers that don't require authentication
(no user name).
2014-08-11 11:06:46 -04:00
Joe Steele
51829a2451 Reorganize the server setup layouts
This only changes the vertical display order of the widgets.

The user will likely review the settings from top to bottom, but
the way they were previously arranged, settings lower on the list
were affecting things higher on the list.

Generally show top to bottom:
Server
security type
port (affected by security type above)
require login checkbox (SMTP only, affects everything below)
user
auth. type (affected by security type above, affects everything below)
password (affected by auth. type above)
client cert (affected by auth. type above)
2014-08-11 11:05:18 -04:00
Joe Steele
710e7a4430 Notify user of invalid account-setup settings combo
Specifically, warn and block them when attempting to configure Client
Certificate Authentication in combination with Connection Security = None.

If this were not made obvious to the user, they might not understand why
they are not permitted to tap "Next".

Also, move the initialization of all view listeners out of onCreate() into
initializeViewListeners() which is then called near the end of onCreate(),
helping to assure that the listeners won't be triggered during the
initialization of views inside onCreate().
2014-07-28 22:55:34 -04:00
Joe Steele
008891a375 Clean up indentation
White space changes only.
2014-07-13 16:01:51 -04:00
Joe Steele
3142a9a225 Merge branch 'master' into tls-client-cert-auth
Conflicts:
	src/com/fsck/k9/fragment/ConfirmationDialogFragment.java
2014-07-04 18:08:07 -04:00
cketti
731da2747e Merge pull request #476 from k9mail/remove_actionbarsherlock
Remove ActionBarSherlock
2014-06-28 03:41:23 +02:00
Koji Arai
750e4a7808 Updated Japanese translation of the changelog. 2014-06-22 11:03:22 +09:00
cketti
ba69b3a647 Remove ActionBarSherlock 2014-06-21 17:09:45 +02:00
Dominik Schürmann
aad171ff7e Client Certificate Authentication 2014-06-05 21:03:18 +02:00
Mike Perry
38c90146e1 Issue 6372: Add preference for setting timezone to UTC.
This is a privacy preference to avoid leaking your current location while
replying to email.
2014-05-27 07:53:50 -07:00
Mike Perry
87802a01ef Issue 4690: Add privacy pref to omit K-9 User-Agent header. 2014-05-27 07:53:18 -07:00
cketti
082e13df26 Add support for delete confirmation in message list
Fixes issue 6260
2014-05-18 20:21:33 +02:00
cketti
818aed5f8c Update changelog for 4.904 2014-04-18 16:53:40 +02:00
Torsten Grote
79ae191c2e add information for MyKolab.com and its variants to providers 2014-04-14 16:03:36 +02:00
cketti
3054ff757b Update translations to use ellipsis character 2014-04-08 21:29:40 +02:00
cketti
d6a9b4e4d4 Remove obsolete layout attributes
Fixes more Lint warnings
2014-04-08 21:27:11 +02:00
cketti
a7e157eac7 Remove Canadian French translation
It looks like this translation hasn't been maintained for quite some
time.
2014-04-08 17:46:45 +02:00
cketti
d5c6d96112 Fetch translations from Transifex
Include new Basque (eu) translation
2014-04-08 17:36:20 +02:00
cketti
c4d930f326 Remove newlines that mess up Transifex 2014-04-08 05:13:39 +02:00
cketti
24cdf811e6 Prepare to integrate Transifex translations
Change the translated strings files to a format similar to what
Transifex exports. This should make it easier to see the content changes
when translations are pulled from Transifex for the first time.
2014-04-08 04:35:21 +02:00
cketti
eaa12d2bd4 Sync translations (and remove place holders) 2014-04-08 04:35:21 +02:00
cketti
13bc441c7b Remove and rearrange comments to better work with Transifex 2014-04-08 04:35:05 +02:00
cketti
efc5565b91 Extract hardcoded string from layout 2014-04-07 20:24:01 +02:00
cketti
ebed217c13 Add missing inputType attribute 2014-04-07 20:19:51 +02:00
cketti
7e040ea84c Fix SpUsage lint warnings 2014-04-07 20:09:22 +02:00
cketti
3da2ef7fbe Fix PxUsage warning 2014-04-07 20:00:53 +02:00
cketti
136bdbc483 Fix whitespace to get rid of ExtraText lint warnings 2014-04-07 19:56:08 +02:00
cketti
0526ddd2aa Remove unused resources 2014-04-07 19:52:37 +02:00
cketti
114d72da3c Remove deprecated resource attributes 2014-04-07 19:31:10 +02:00
cketti
ab72aa0dd7 Don't reuse IDs 2014-04-07 19:17:50 +02:00
cketti
19b808b93b Don't use hardcoded package in namespace 2014-04-07 18:50:30 +02:00
cketti
945e539341 Remove some unused strings 2014-04-07 18:24:22 +02:00
cketti
857c72d691 Fix typo 2014-04-07 18:17:23 +02:00
cketti
cc8353d255 Merge pull request #457 from openpgp-keychain/openpgp
OpenPGP Provider API
2014-04-01 02:44:32 +02:00
cketti
18da76f4aa Increase number of values available for 'local folder size'
Fixes issue 6235
2014-03-09 05:49:11 +01:00
cketti
c6f0a5897b Update changelog for 4.903 2014-03-06 01:59:31 +01:00
cketti
ef8fbb427e Fix typos 2014-03-05 07:18:24 +01:00
cketti
bc4218be55 Remove all entries without transport encryption from providers.xml 2014-03-05 07:07:43 +01:00
cketti
ff5edf43d4 Merge branch 'pr/453'
Authentication changes

 message to explain why this merge is necessary,
2014-03-05 06:19:55 +01:00
Dominik Schürmann
f5b1ed920b Handle SIGNATURE_SUCCESS_UNCERTIFIED, code cleanup 2014-03-04 15:10:20 +01:00
Joe Steele
daea7f1ecd Eliminate the 'if available' connection security options
These options originated in the AOSP email client from which K-9 Mail was
forked.  They provide an odd combination of 2 features:

1. Don't bother to authenticate the server's certificate (applies to both
SSL/TLS and STARTTLS); i.e., blindly accept all certificates.  This is
generally a bad security policy which is susceptible to MITM attacks.

2. If STARTTLS is selected but the server doesn't claim to support
STARTTLS, then proceed without using encryption.  This, too, is a bad
security policy which is susceptible to MITM attacks.

Since the time that K-9 Mail was forked, a couple things have changed:

> K-9 Mail has implemented the ability for users to review and permanently
accept individual certificates that would otherwise fail authentication.
With this ability, there is no need for a user to subject themselves to
the ongoing risks of feature 1. above.  Hence, this commit removes feature
1.

> The AOSP email client has changed its behavior and no longer permits a
security downgrade to an unencrypted connection if the server doesn't
claim to support STARTTLS (i.e., they eliminated feature 2. above). K-9
Mail should do the same.  It's unlikely that a server is going to provide
STARTTLS on an intermittent basis, so providing a contingency for such
unusual behavior is an unnecessary risk.  Hence, this commit removes that
feature as well.

Effect on existing users:

If the old connection security setting was "SSL/TLS (if available)" (which
now gets remapped to "SSL/TLS"), and the server does not provide a
certificate that can be authenticated, then a "Certificate error for
<account name>" notification is generated telling the user to check their
server settings.  Tapping the notification takes the user to the relevant
server settings, where the user can tap "Next" to review the certificate
and choose to permanently accept it.  This process would occur during the
first syncing of folders after application upgrade or (in the case of
SMTP) during the first attempt to send a message.

If the connection security setting was "STARTTLS (if available)" (which
now gets remapped to "STARTTLS"), and the server does not provide a
certificate that can be authenticated, then the same process as above
would occur.

If the old connection security setting was "STARTTLS (if available)", and
the server doesn't claim to support STARTTLS, then the user would get a
certificate error notification which would lead them to the server's
settings.  There they would need to choose a different connection security
-- most likely "NONE".  If they didn't change anything but instead just
tapped "Next", the server settings would be checked again and a dialog
would pop up saying, "Cannot connect to server. (STARTTLS connection
security not available)". (The implementation of notifications when
STARTTLS is not available is not actually included here -- it's in the
commit that follows.)

Regarding the changes to providers.xml:  in cases where the scheme ended
with "+ssl", the schemes were simply updated by appending "+".  In cases
where the scheme ended with "+tls", a check of the server was made to
assure that STARTTLS was available before appending "+" to the scheme.
Domains paran.com and nate.com failed the check and were removed because
no current information could be found.  Domains me.com and mac.com also
failed and were updated based on http://support.apple.com/kb/ht4864.
2014-03-03 17:23:00 -05:00
Dominik Schürmann
4a69ef1509 New OpenPGP Provider API 2014-03-02 16:51:47 +01:00
cketti
abc765e893 Don't combine strings in code 2014-03-01 05:12:01 +01:00
Joe Steele
540de158a0 Change the PLAIN auth. option text based on encryption
If the user chooses a connection security option which assures the use of
encryption, then the PLAIN auth. option is labeled "Normal password",
otherwise it is labeled "Password, transmitted insecurely".

This is similar to Thunderbird's behavior.
2014-02-25 15:22:44 -05:00