On Wed, Feb 24, 2016, at 15:12, Hans-Christoph Steiner wrote: > When using NetCipher 1.2's getHttpURLConnection() method to get a nicely > configured TLS connection, it fails on sites that use SNI HTTPS aliases:
I can reproduce the problem on Android 4.3 through 5.1, but not Android 6.0. The problem is tied to TlsOnlySocketFactory. This code works fine: HttpsURLConnection c= (HttpsURLConnection)new URL(SNI_1_URL).openConnection(); SSLContext ssl=SSLContext.getInstance("TLS"); ssl.init(null, null, null); c.setSSLSocketFactory(ssl.getSocketFactory()); (here, SNI_1_URL is https://wares.commonsware.com/test.json, a URL on a server of mine that is equipped with SNI) By "works fine", the HttpsURLConnection successfully retrieves the JSON. However, wrapping that in a TlsOnlySocketFactory introduces the problem: HttpsURLConnection c= (HttpsURLConnection)new URL(SNI_1_URL).openConnection(); SSLContext ssl=SSLContext.getInstance("TLS"); ssl.init(null, null, null); c.setSSLSocketFactory(new TlsOnlySocketFactory(ssl.getSocketFactory(), true)); Given that the error suggests a problem in hostname validation, the notes in the JavaDocs for SSLCertificateSocketFactory (http://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html) may be relevant: "Most SSLSocketFactory implementations do not verify the server's identity, allowing man-in-the-middle attacks. This implementation does check the server's certificate hostname, but only for createSocket variants that specify a hostname. When using methods that use InetAddress or which return an unconnected socket, you MUST verify the server's identity yourself to ensure a secure connection. "One way to verify the server's identity is to use getDefaultHostnameVerifier() to get a HostnameVerifier to verify the certificate hostname. " However, I don't know much about the implementation of TlsOnlySocketFactory and whether those notes are relevant. -- Mark Murphy (a Commons Guy) https://commonsware.com | https://github.com/commonsguy https://commonsware.com/blog | https://twitter.com/commonsguy _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org