From 88321c1e8c6e119fb200b3d0bbaa4f304334d226 Mon Sep 17 00:00:00 2001
From: Daniel Gultsch <daniel@gultsch.de>
Date: Fri, 9 Dec 2016 19:56:49 +0100
Subject: use POSH only when system CAs are trusted

---
 .../src/de/duenndns/ssl/MemorizingTrustManager.java                   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'libs/MemorizingTrustManager')

diff --git a/libs/MemorizingTrustManager/src/de/duenndns/ssl/MemorizingTrustManager.java b/libs/MemorizingTrustManager/src/de/duenndns/ssl/MemorizingTrustManager.java
index 439ad0f9..a45ab05b 100644
--- a/libs/MemorizingTrustManager/src/de/duenndns/ssl/MemorizingTrustManager.java
+++ b/libs/MemorizingTrustManager/src/de/duenndns/ssl/MemorizingTrustManager.java
@@ -36,6 +36,7 @@ import android.content.Context;
 import android.content.Intent;
 import android.net.Uri;
 import android.os.SystemClock;
+import android.preference.PreferenceManager;
 import android.util.Base64;
 import android.util.Log;
 import android.util.SparseArray;
@@ -430,7 +431,8 @@ public class MemorizingTrustManager {
 				else
 					defaultTrustManager.checkClientTrusted(chain, authType);
 			} catch (CertificateException e) {
-				if (domain != null && isServer && !isIp(domain)) {
+				boolean trustSystemCAs = !PreferenceManager.getDefaultSharedPreferences(master).getBoolean("dont_trust_system_cas", false);
+				if (domain != null && isServer && trustSystemCAs && !isIp(domain)) {
 					String hash = getBase64Hash(chain[0],"SHA-256");
 					List<String> fingerprints = getPoshFingerprints(domain);
 					if (hash != null && fingerprints.contains(hash)) {
-- 
cgit v1.2.3