diff --git a/CHANGELOG.md b/CHANGELOG.md index 244efb5ea..ecc318da5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ + +* reverted self-signed support since it was broken, only HTTPS certificates + with proper CA signatures will work for now + ### 0.71 (2014-08-05) * Added "local repo" support to host an F-Droid repo on the device itself, with diff --git a/src/org/fdroid/fdroid/FDroidApp.java b/src/org/fdroid/fdroid/FDroidApp.java index 0fd33551d..249e32d94 100644 --- a/src/org/fdroid/fdroid/FDroidApp.java +++ b/src/org/fdroid/fdroid/FDroidApp.java @@ -40,7 +40,6 @@ import android.os.Message; import android.os.Messenger; import android.os.RemoteException; import android.preference.PreferenceManager; -import android.util.Log; import android.widget.Toast; import com.nostra13.universalimageloader.cache.disc.impl.LimitedAgeDiscCache; @@ -49,8 +48,6 @@ import com.nostra13.universalimageloader.core.ImageLoader; import com.nostra13.universalimageloader.core.ImageLoaderConfiguration; import com.nostra13.universalimageloader.utils.StorageUtils; -import de.duenndns.ssl.MemorizingTrustManager; - import org.fdroid.fdroid.Preferences.ChangeListener; import org.fdroid.fdroid.compat.PRNGFixes; import org.fdroid.fdroid.data.AppProvider; @@ -59,18 +56,10 @@ import org.fdroid.fdroid.data.Repo; import org.fdroid.fdroid.localrepo.LocalRepoService; import org.fdroid.fdroid.net.IconDownloader; import org.fdroid.fdroid.net.WifiStateChangeService; -import org.thoughtcrime.ssl.pinning.PinningTrustManager; -import org.thoughtcrime.ssl.pinning.SystemKeyStore; import java.io.File; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; import java.util.Set; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; - public class FDroidApp extends Application { // for the local repo on this device, all static since there is only one @@ -192,37 +181,7 @@ public class FDroidApp extends Application { .build(); ImageLoader.getInstance().init(config); - try { - SSLContext sc = SSLContext.getInstance("TLS"); - - // MemorizingTrustManager -> PinningTrustManager -> Prompt User - /* - * The current HTTPS trust model is to first check if a site's key - * is TOFUed, then check if it is pinned and valid with the CA, then - * prompt the user. There is currently no way to only check the CA - * for validity. Ultimately, that should probably not be needed if - * the repo URLs can include the HTTPS pin info in the same way that - * the repo fingerprint is specified. Then it can be added to the - * TOFU/POP keystore when the user accepts the Add Repo dialog - */ - PinningTrustManager pinMgr = new PinningTrustManager( - SystemKeyStore.getInstance(getApplicationContext()), - FDroidCertPins.getPinList(), - 0); - MemorizingTrustManager memMgr = new MemorizingTrustManager(getApplicationContext(), pinMgr); - - /* - * initialize a SSLContext with the outermost trust manager, use - * this context to set the default SSL socket factory for the - * HTTPSURLConnection class. - */ - sc.init(null, new TrustManager[] {memMgr}, new java.security.SecureRandom()); - HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - } catch (KeyManagementException e) { - Log.e("FDroid", "Unable to set up trust manager chain. KeyManagementException"); - } catch (NoSuchAlgorithmException e) { - Log.e("FDroid", "Unable to set up trust manager chain. NoSuchAlgorithmException"); - } + // TODO reintroduce PinningTrustManager and MemorizingTrustManager // initialized the local repo information WifiManager wifiManager = (WifiManager) getSystemService(WIFI_SERVICE);