Re: [guardian-dev] SNI with NetCipher's HttpsURLConnection

Wed, 02 Mar 2016 07:45:05 -0800 

On Wed, Feb 24, 2016, at 15:12, Hans-Christoph Steiner wrote:
> When using NetCipher 1.2's getHttpURLConnection() method to get a nicely
> configured TLS connection, it fails on sites that use SNI HTTPS aliases:

I can reproduce the problem on Android 4.3 through 5.1, but not Android
6.0.

The problem is tied to TlsOnlySocketFactory. This code works fine:

    HttpsURLConnection c=
      (HttpsURLConnection)new URL(SNI_1_URL).openConnection();

    SSLContext ssl=SSLContext.getInstance("TLS");

    ssl.init(null, null, null);
    c.setSSLSocketFactory(ssl.getSocketFactory());

(here, SNI_1_URL is https://wares.commonsware.com/test.json, a URL on a
server of mine that is equipped with SNI)

By "works fine", the HttpsURLConnection successfully retrieves the JSON.

However, wrapping that in a TlsOnlySocketFactory introduces the problem:

    HttpsURLConnection c=
      (HttpsURLConnection)new URL(SNI_1_URL).openConnection();
    SSLContext ssl=SSLContext.getInstance("TLS");

    ssl.init(null, null, null);
    c.setSSLSocketFactory(new
    TlsOnlySocketFactory(ssl.getSocketFactory(),
        true));

Given that the error suggests a problem in hostname validation, the
notes in the JavaDocs for SSLCertificateSocketFactory
(http://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html)
may be relevant:

"Most SSLSocketFactory implementations do not verify the server's
identity, allowing man-in-the-middle attacks. This implementation does
check the server's certificate hostname, but only for createSocket
variants that specify a hostname. When using methods that use
InetAddress or which return an unconnected socket, you MUST verify the
server's identity yourself to ensure a secure connection.

"One way to verify the server's identity is to use
getDefaultHostnameVerifier() to get a HostnameVerifier to verify the
certificate hostname. "

However, I don't know much about the implementation of
TlsOnlySocketFactory and whether those notes are relevant.

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
_______________________________________________
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Reply via email to