Merge branch 'kepuss-okhttp3'

OpenKeychain/build.gradle

@@ -55,8 +55,8 @@ dependencies {
     compile 'org.sufficientlysecure:html-textview:1.3'
     compile 'org.sufficientlysecure:donations:2.4'
     compile 'com.nispok:snackbar:2.11.0'
-    compile 'com.squareup.okhttp:okhttp:2.7.5'
+    compile 'com.squareup.okhttp3:okhttp:3.2.0'
-    compile 'com.squareup.okhttp:okhttp-urlconnection:2.7.5'
+    compile 'com.squareup.okhttp3:okhttp-urlconnection:3.2.0'
     compile 'org.apache.james:apache-mime4j-core:0.7.2'
     compile 'org.apache.james:apache-mime4j-dom:0.7.2'
     compile 'org.thoughtcrime.ssl.pinning:AndroidPinning:1.0.0'
@@ -105,10 +105,10 @@ dependencyVerification {
             'se.emilsjolander:stickylistheaders:a08ca948aa6b220f09d82f16bbbac395f6b78897e9eeac6a9f0b0ba755928eeb',
             'org.sufficientlysecure:donations:96f8197bab26dfe41900d824f10f8f1914519cd62eedb77bdac5b223eccdf0a6',
             'org.sufficientlysecure:html-textview:39048e35894e582adada388e6c00631803283f8defed8e07ad58a5f284f272ee',
-            'com.squareup.okhttp:okhttp:88ac9fd1bb51f82bcc664cc1eb9c225c90dc4389d660231b4cc737bebfe7d0aa',
+            'com.squareup.okhttp3:okhttp:a41cdb7b024c56436a21e38f00b4d12e3b7e01451ffe6c4f545acba805bba03b',
+            'com.squareup.okhttp3:okhttp-urlconnection:7d6598a6665c166e2d4b78956a96056b9be7de192b3c923ccf4695d08e580833',
             'com.nispok:snackbar:46b5eb9d630d329e13c2ce00ee9fb115ffb66c23c72cff32ee97eedd76824c6f',
             'org.apache.james:apache-mime4j-core:4d7434c68f94b81a253c12f28e6bbb4d6239c361d6086a46e22e594bb43ac660',
-            'com.squareup.okhttp:okhttp-urlconnection:6ae7c527abd2253e7c499ded790174f8f37d9676add63d9e23a76f3ba0588c07',
             'org.thoughtcrime.ssl.pinning:AndroidPinning:afa1d74e699257fa75cb109ff29bac50726ef269c6e306bdeffe8223cee06ef4',
             'org.apache.james:apache-mime4j-dom:7e6b06ee164a1c21b7e477249ea0b74a18fddce44764e5764085f58dd8c34633',
             'com.mikepenz:materialdrawer:4e2644f454cc2ce48b956536d3339957c3f592adb2e0b6dad72d477da29f7677',

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/FacebookKeyserver.java

@@ -23,10 +23,10 @@ import android.net.Uri;
 import android.support.annotation.NonNull;
 import android.support.annotation.Nullable;
 
-import com.squareup.okhttp.OkHttpClient;
-import com.squareup.okhttp.Request;
-import com.squareup.okhttp.Response;
 
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.Response;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.pgp.PgpHelper;
 import org.sufficientlysecure.keychain.pgp.UncachedKeyRing;
@@ -34,6 +34,8 @@ import org.sufficientlysecure.keychain.pgp.UncachedPublicKey;
 import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpClientFactory;
+import org.sufficientlysecure.keychain.util.TlsHelper;
 
 import java.io.IOException;
 import java.net.Proxy;
@@ -104,11 +106,10 @@ public class FacebookKeyserver extends Keyserver {
             String request = String.format(FB_KEY_URL_FORMAT, fbUsername);
             Log.d(Constants.TAG, "fetching from Facebook with: " + request + " proxy: " + mProxy);
 
-            OkHttpClient client = new OkHttpClient();
-            client.setProxy(mProxy);
-
             URL url = new URL(request);
 
+            OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, mProxy);
+
             Response response = client.newCall(new Request.Builder().url(url).build()).execute();
 
             // contains body both in case of success or failure
@@ -126,6 +127,9 @@ public class FacebookKeyserver extends Keyserver {
             throw new QueryFailedException("Cannot connect to Facebook. "
                     + "Check your Internet connection!"
                     + (mProxy == Proxy.NO_PROXY ? "" : " Using proxy " + mProxy));
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "Exception in cert pinning", e);
+            throw new QueryFailedException("Exception in cert pinning. ");
         }
     }
 

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java

@@ -18,16 +18,18 @@
 
 package org.sufficientlysecure.keychain.keyimport;
 
-import com.squareup.okhttp.MediaType;
-import com.squareup.okhttp.OkHttpClient;
-import com.squareup.okhttp.Request;
-import com.squareup.okhttp.RequestBody;
-import com.squareup.okhttp.Response;
 
+
+import okhttp3.MediaType;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.pgp.PgpHelper;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpClientFactory;
 import org.sufficientlysecure.keychain.util.TlsHelper;
 
 import java.io.IOException;
@@ -42,7 +44,6 @@ import java.util.Comparator;
 import java.util.GregorianCalendar;
 import java.util.Locale;
 import java.util.TimeZone;
-import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -199,43 +200,12 @@ public class HkpKeyserver extends Keyserver {
         return mSecure ? "https://" : "http://";
     }
 
-    /**
-     * returns a client with pinned certificate if necessary
-     *
-     * @param url   url to be queried by client
-     * @param proxy proxy to be used by client
-     * @return client with a pinned certificate if necessary
-     */
-    public static OkHttpClient getClient(URL url, Proxy proxy) throws IOException {
-        OkHttpClient client = new OkHttpClient();
-
-        try {
-            TlsHelper.usePinnedCertificateIfAvailable(client, url);
-        } catch (TlsHelper.TlsHelperException e) {
-            Log.w(Constants.TAG, e);
-        }
-
-        // don't follow any redirects
-        client.setFollowRedirects(false);
-        client.setFollowSslRedirects(false);
-
-        if (proxy != null) {
-            client.setProxy(proxy);
-            client.setConnectTimeout(30000, TimeUnit.MILLISECONDS);
-        } else {
-            client.setProxy(Proxy.NO_PROXY);
-            client.setConnectTimeout(5000, TimeUnit.MILLISECONDS);
-        }
-        client.setReadTimeout(45000, TimeUnit.MILLISECONDS);
-
-        return client;
-    }
 
     private String query(String request, @NonNull Proxy proxy) throws QueryFailedException, HttpError {
         try {
             URL url = new URL(getUrlPrefix() + mHost + ":" + mPort + request);
             Log.d(Constants.TAG, "hkp keyserver query: " + url + " Proxy: " + proxy);
-            OkHttpClient client = getClient(url, proxy);
+            OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy);
             Response response = client.newCall(new Request.Builder().url(url).build()).execute();
 
             String responseBody = response.body().string(); // contains body both in case of success or failure
@@ -249,6 +219,9 @@ public class HkpKeyserver extends Keyserver {
             Log.e(Constants.TAG, "IOException at HkpKeyserver", e);
             throw new QueryFailedException("Keyserver '" + mHost + "' is unavailable. Check your Internet connection!" +
                     (proxy == Proxy.NO_PROXY ? "" : " Using proxy " + proxy));
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "Exception in pinning certs", e);
+            throw new QueryFailedException("Exception in pinning certs");
         }
     }
 
@@ -413,6 +386,7 @@ public class HkpKeyserver extends Keyserver {
             Log.d(Constants.TAG, "hkp keyserver add: " + url);
             Log.d(Constants.TAG, "params: " + params);
 
+
             RequestBody body = RequestBody.create(MediaType.parse("application/x-www-form-urlencoded"), params);
 
             Request request = new Request.Builder()
@@ -422,7 +396,7 @@ public class HkpKeyserver extends Keyserver {
                     .post(body)
                     .build();
 
-            Response response = getClient(url, mProxy).newCall(request).execute();
+            Response response = OkHttpClientFactory.getClientPinnedIfAvailable(url, mProxy).newCall(request).execute();
 
             Log.d(Constants.TAG, "response code: " + response.code());
             Log.d(Constants.TAG, "answer: " + response.body().string());
@@ -434,6 +408,9 @@ public class HkpKeyserver extends Keyserver {
         } catch (IOException e) {
             Log.e(Constants.TAG, "IOException", e);
             throw new AddKeyException();
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "Exception in pinning certs", e);
+            throw new AddKeyException();
         }
     }
 

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/linked/LinkedTokenResource.java

@@ -2,10 +2,10 @@ package org.sufficientlysecure.keychain.linked;
 
 import android.content.Context;
 
-import com.squareup.okhttp.CertificatePinner;
+import okhttp3.CertificatePinner;
-import com.squareup.okhttp.OkHttpClient;
+import okhttp3.OkHttpClient;
-import com.squareup.okhttp.Request;
+import okhttp3.Request;
-import com.squareup.okhttp.Response;
+import okhttp3.Response;
 import org.json.JSONException;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.linked.resources.GenericHttpsResource;
@@ -16,6 +16,7 @@ import org.sufficientlysecure.keychain.operations.results.OperationResult.LogTyp
 import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpClientFactory;
 
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -236,13 +237,16 @@ public abstract class LinkedTokenResource extends LinkedResource {
         return builder.build();
     }
 
+
     public static String getResponseBody(Request request, String... pins)
             throws IOException, HttpStatusException {
 
-        Log.d("Connection to: "+request.url().getHost(),"");
+        Log.d("Connection to: " + request.url().url().getHost(), "");
-        OkHttpClient client = new OkHttpClient();
+        OkHttpClient client;
-        if(pins !=null){
+        if (pins != null) {
-            client.setCertificatePinner(getCertificatePinner(request.url().getHost(),pins));
+            client = OkHttpClientFactory.getSimpleClientPinned(getCertificatePinner(request.url().url().getHost(), pins));
+        } else {
+            client = OkHttpClientFactory.getSimpleClient();
         }
 
         Response response = client.newCall(request).execute();

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/linked/resources/GenericHttpsResource.java

@@ -6,7 +6,7 @@ import android.net.Uri;
 import android.support.annotation.DrawableRes;
 import android.support.annotation.StringRes;
 
-import com.squareup.okhttp.Request;
+import okhttp3.Request;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/linked/resources/GithubResource.java

@@ -6,7 +6,7 @@ import android.net.Uri;
 import android.support.annotation.DrawableRes;
 import android.support.annotation.StringRes;
 
-import com.squareup.okhttp.Request;
+import okhttp3.Request;
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/linked/resources/TwitterResource.java

@@ -7,11 +7,11 @@ import android.support.annotation.DrawableRes;
 import android.support.annotation.StringRes;
 import android.util.Log;
 
-import com.squareup.okhttp.MediaType;
-import com.squareup.okhttp.Request;
-import com.squareup.okhttp.RequestBody;
 import com.textuality.keybase.lib.JWalk;
 
+import okhttp3.MediaType;
+import okhttp3.Request;
+import okhttp3.RequestBody;
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/AddEditKeyserverDialogFragment.java

@@ -50,14 +50,13 @@ import android.widget.EditText;
 import android.widget.TextView;
 import android.widget.TextView.OnEditorActionListener;
 
-import com.squareup.okhttp.OkHttpClient;
-import com.squareup.okhttp.Request;
 
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
-import org.sufficientlysecure.keychain.keyimport.HkpKeyserver;
-import org.sufficientlysecure.keychain.ui.util.Notify;
 import org.sufficientlysecure.keychain.util.Log;
+import org.sufficientlysecure.keychain.util.OkHttpClientFactory;
 import org.sufficientlysecure.keychain.util.Preferences;
 import org.sufficientlysecure.keychain.util.TlsHelper;
 import org.sufficientlysecure.keychain.util.orbot.OrbotHelper;
@@ -354,19 +353,15 @@ public class AddEditKeyserverDialogFragment extends DialogFragment implements On
 
                     Log.d("Converted URL", newKeyserver.toString());
 
-                    OkHttpClient client = HkpKeyserver.getClient(newKeyserver.toURL(), proxy);
-
-                    // don't follow any redirects
-                    client.setFollowRedirects(false);
-                    client.setFollowSslRedirects(false);
-
                     if (onlyTrustedKeyserver
-                            && !TlsHelper.usePinnedCertificateIfAvailable(client, newKeyserver.toURL())) {
+                            && TlsHelper.getPinnedSslSocketFactory(newKeyserver.toURL()) == null) {
                         Log.w(Constants.TAG, "No pinned certificate for this host in OpenKeychain's assets.");
                         reason = FailureReason.NO_PINNED_CERTIFICATE;
                         return reason;
                     }
 
+                    OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(newKeyserver.toURL(), proxy);
+
                     client.newCall(new Request.Builder().url(newKeyserver.toURL()).build()).execute();
                 } catch (TlsHelper.TlsHelperException e) {
                     reason = FailureReason.CONNECTION_FAILED;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/linked/LinkedIdCreateTwitterStep1Fragment.java

@@ -119,7 +119,7 @@ public class LinkedIdCreateTwitterStep1Fragment extends Fragment {
     private static Boolean checkHandle(String handle) {
         try {
             HttpURLConnection nection =
-                    (HttpURLConnection) new URL("https://twitter.com/" + handle).openConnection();
+                    (HttpURLConnection) new URL("https://twitter.com/" + handle).getUrlResponse();
             nection.setRequestMethod("HEAD");
             nection.setRequestProperty("User-Agent", "OpenKeychain");
             return nection.getResponseCode() == 200;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpClientFactory.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2016 Michał Kępkowski
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.util;
+
+import java.io.IOException;
+import java.net.Proxy;
+import java.net.URL;
+import java.util.concurrent.TimeUnit;
+
+import okhttp3.CertificatePinner;
+import okhttp3.OkHttpClient;
+
+public class OkHttpClientFactory {
+    private static OkHttpClient client;
+
+    public static OkHttpClient getSimpleClient() {
+        if (client == null) {
+            client = new OkHttpClient.Builder()
+                    .connectTimeout(5000, TimeUnit.MILLISECONDS)
+                    .readTimeout(25000, TimeUnit.MILLISECONDS)
+                    .build();
+        }
+        return client;
+    }
+
+    public static OkHttpClient getSimpleClientPinned(CertificatePinner pinner) {
+        return new OkHttpClient.Builder()
+                .connectTimeout(5000, TimeUnit.MILLISECONDS)
+                .readTimeout(25000, TimeUnit.MILLISECONDS)
+                .certificatePinner(pinner)
+                .build();
+    }
+
+    public static OkHttpClient getClientPinnedIfAvailable(URL url, Proxy proxy) throws IOException,
+            TlsHelper.TlsHelperException {
+        OkHttpClient.Builder builder = new OkHttpClient.Builder();
+
+        // don't follow any redirects for keyservers, as discussed in the security audit
+        builder.followRedirects(false)
+                .followSslRedirects(false);
+
+        if (proxy != null) {
+            // set proxy and higher timeouts for Tor
+            builder.proxy(proxy);
+            builder.connectTimeout(30000, TimeUnit.MILLISECONDS)
+                    .readTimeout(45000, TimeUnit.MILLISECONDS);
+        } else {
+            builder.connectTimeout(5000, TimeUnit.MILLISECONDS)
+                    .readTimeout(25000, TimeUnit.MILLISECONDS);
+        }
+
+        // If a pinned cert is available, use it!
+        // NOTE: this fails gracefully back to "no pinning" if no cert is available.
+        if (url != null && TlsHelper.getPinnedSslSocketFactory(url) != null) {
+            builder.sslSocketFactory(TlsHelper.getPinnedSslSocketFactory(url));
+        }
+
+        return builder.build();
+    }
+
+}

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/OkHttpKeybaseClient.java

@@ -17,55 +17,42 @@
 
 package org.sufficientlysecure.keychain.util;
 
-import com.squareup.okhttp.OkHttpClient;
+
-import com.squareup.okhttp.OkUrlFactory;
 import com.textuality.keybase.lib.KeybaseUrlConnectionClient;
 
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+
 import org.sufficientlysecure.keychain.Constants;
 
 import java.io.IOException;
 import java.net.Proxy;
 import java.net.URL;
-import java.net.URLConnection;
-import java.util.concurrent.TimeUnit;
 
 /**
  * Wrapper for Keybase Lib
  */
 public class OkHttpKeybaseClient implements KeybaseUrlConnectionClient {
 
-    private OkUrlFactory generateUrlFactory() {
-        OkHttpClient client = new OkHttpClient();
-        return new OkUrlFactory(client);
-    }
-
     @Override
-    public URLConnection openConnection(URL url, Proxy proxy, boolean isKeybase) throws IOException {
+    public Response getUrlResponse(URL url, Proxy proxy, boolean isKeybase) throws IOException {
-        OkUrlFactory factory = generateUrlFactory();
+        OkHttpClient client = null;
-        if (proxy != null) {
-            factory.client().setProxy(proxy);
-            factory.client().setConnectTimeout(30000, TimeUnit.MILLISECONDS);
-            factory.client().setReadTimeout(40000, TimeUnit.MILLISECONDS);
-        } else {
-            factory.client().setConnectTimeout(5000, TimeUnit.MILLISECONDS);
-            factory.client().setReadTimeout(25000, TimeUnit.MILLISECONDS);
-        }
 
-        factory.client().setFollowSslRedirects(false);
+        try {
-
+            if (proxy != null) {
-        // forced the usage of api.keybase.io pinned certificate
+                client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy);
-        if (isKeybase) {
+            } else {
-            try {
+                client = OkHttpClientFactory.getSimpleClient();
-                if (!TlsHelper.usePinnedCertificateIfAvailable(factory.client(), url)) {
-                    throw new IOException("no pinned certificate found for URL!");
-                }
-            } catch (TlsHelper.TlsHelperException e) {
-                Log.e(Constants.TAG, "TlsHelper failed", e);
-                throw new IOException("TlsHelper failed");
             }
+        } catch (TlsHelper.TlsHelperException e) {
+            Log.e(Constants.TAG, "TlsHelper failed", e);
+            throw new IOException("TlsHelper failed");
         }
 
-        return factory.open(url);
+        Request request = new Request.Builder()
+                .url(url).build();
+        okhttp3.Response okResponse = client.newCall(request).execute();
+        return new Response(okResponse.body().byteStream(), okResponse.code(), okResponse.message(), okResponse.headers().toMultimap());
     }
 
     @Override

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/util/TlsHelper.java

@@ -19,8 +19,6 @@ package org.sufficientlysecure.keychain.util;
 
 import android.content.res.AssetManager;
 
-import com.squareup.okhttp.OkHttpClient;
-
 import org.sufficientlysecure.keychain.Constants;
 
 import java.io.ByteArrayInputStream;
@@ -39,16 +37,11 @@ import java.util.HashMap;
 import java.util.Map;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;
 
 public class TlsHelper {
 
-    public static class TlsHelperException extends Exception {
-        public TlsHelperException(Exception e) {
-            super(e);
-        }
-    }
-
     private static Map<String, byte[]> sPinnedCertificates = new HashMap<>();
 
     /**
@@ -80,30 +73,29 @@ public class TlsHelper {
      * @throws TlsHelperException
      * @throws IOException
      */
-    public static boolean usePinnedCertificateIfAvailable(OkHttpClient client, URL url) throws TlsHelperException, IOException {
+    public static SSLSocketFactory getPinnedSslSocketFactory(URL url) throws TlsHelperException, IOException {
         if (url.getProtocol().equals("https")) {
             // use certificate PIN from assets if we have one
             for (String host : sPinnedCertificates.keySet()) {
                 if (url.getHost().endsWith(host)) {
-                    pinCertificate(sPinnedCertificates.get(host), client);
+                    return pinCertificate(sPinnedCertificates.get(host));
-                    return true;
                 }
             }
         }
-        return false;
+        return null;
     }
 
     /**
-     * Modifies the client to accept only requests with a given certificate. Applies to all URLs requested by the
+     * Modifies the builder to accept only requests with a given certificate.
-     * client.
+     * Applies to all URLs requested by the builder.
-     * Therefore a client that is pinned this way should be used to only make requests to URLs with passed certificate.
+     * Therefore a builder that is pinned this way should be used to only make requests
+     * to URLs with passed certificate.
      *
      * @param certificate certificate to pin
-     * @param client      OkHttpClient to enforce pinning on
      * @throws TlsHelperException
      * @throws IOException
      */
-    private static void pinCertificate(byte[] certificate, OkHttpClient client)
+    private static SSLSocketFactory pinCertificate(byte[] certificate)
             throws TlsHelperException, IOException {
         // We don't use OkHttp's CertificatePinner since it can not be used to pin self-signed
         // certificate if such certificate is not accepted by TrustManager.
@@ -130,10 +122,16 @@ public class TlsHelper {
             SSLContext context = SSLContext.getInstance("TLS");
             context.init(null, tmf.getTrustManagers(), null);
 
-            client.setSslSocketFactory(context.getSocketFactory());
+            return context.getSocketFactory();
         } catch (CertificateException | KeyStoreException | KeyManagementException | NoSuchAlgorithmException e) {
             throw new TlsHelperException(e);
         }
     }
 
+    public static class TlsHelperException extends Exception {
+        public TlsHelperException(Exception e) {
+            super(e);
+        }
+    }
+
 }