-2

Recently I acquired a new domain name to use with an existing Android application. I also bought SSL certificate from a trusted CA (Comodo). When I browse to the new domain with a web browser, everything works as expected - no errors about SSL certificate. Same with HttpUrlConnection, but for some reason Apaches HttpClient generates an SSLException:

javax.net.ssl.SSLException: hostname in certificate didn't match: my.new.domain != my.old.domain OR my.old.domain

What's more interesting, some of the devices that I tried with worked fine for about a week after the change, and stopped working after that. Other devices stopped working right away.

If I use the old domain name in client code, everything works correctly.

I'm using version 4.3.3 from here of the HttpClient for Android. I realize that converting to HttpUrlConnection would indeed solve my problem, but I'm interested in WHY this is happening - from where does the HttpClient pick up the old domain name? Is it some misconfiguration on the server, or does Apaches HttpClient have some sort of internal dns cache? Testing with a fresh emulator instance raised the same exception, so the problem is not related to caching.

My own investigations got stuck - all I could find was instructions for disabling hostname verification completely, or instructions for self-signed certificates.

1615903
  • 32,635
  • 12
  • 70
  • 99
  • Try running your test app on a newly-created emulator instance. If you get the same error, the problem exists on your Web server somewhere, as by definition neither Android nor HttpClient could possibly be caching your old domain name when neither had requested it before. – CommonsWare Jul 22 '14 at 12:05
  • Just tested with a fresh emulator instance, getting the same exception. – 1615903 Jul 22 '14 at 13:14
  • Can you try hitting the site with the stock version of Apache HttpClient 4.3.x and Oracle JRE 1.7? – ok2c Jul 22 '14 at 13:24
  • 1
    This question is being discuss in [meta](http://meta.stackoverflow.com/questions/326162/what-is-wrong-with-my-question) – M D Jun 15 '16 at 07:10

1 Answers1

0

That's probably because Apache HttpClient does not support SNI (server name indication), where you can have multiple certificates behind the same IP address. This means, that it does not send the target hostname inside the SSL handshake and thus the server has only the target IP address to decide which certificate it should use and just uses the default certificate for the IP - which is probably the wrong one.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 1
    This statement is incorrect. Apache HttpClient for Android supports SNI as well as the stock Apache HttpClient as of version 4.3.2 – ok2c Jul 22 '14 at 13:21
  • My information are from multiple posts on stackoverflow where people stumbled over the same question. Also, on http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache-httpclient I've found, that the support is only available on Oracles Java 7 and not on Androids Java flavor. – Steffen Ullrich Jul 22 '14 at 13:32
  • The blog clearly refers to 4.0-alpha shipped with Android platform, whereas the OP is using the official re-spin of Apache HttpClient 4.3 for Android. – ok2c Jul 22 '14 at 13:44
  • 1
    You are right. Then maybe the Android version is too old. If I understand http://mail-archives.apache.org/mod_mbox/hc-commits/201403.mbox/%3C20140306135337.14AA623888D7@eris.apache.org%3E correctly SNI is only enabled on Android >=4.2. – Steffen Ullrich Jul 22 '14 at 14:12
  • This is actually very likely – ok2c Jul 22 '14 at 14:30
  • Thanks for pointing out SNI, this was totally new to me. I have now started to doubt if the app actually uses the 4.3.3 version that I have put in the libs, since I have tested with Android 4.3.x and 4.4.x and still see the same exception. – 1615903 Jul 23 '14 at 05:29