[sword-devel] SSL mystery @ crosswire.org
Chris Umphress
umphress at gmail.com
Thu Sep 17 10:23:40 EDT 2020
If you pull the SSL certificate for an IP address, the server typically
sends you the default, configured certificate.
I am curious about why Android 5 would request the certificate by IP
address only. Does it not support the Server Name Indication?:
http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
Chris Umphress
On Thu, 17 Sep 2020 16:19:25 +0300
Tuomas Airaksinen <tuomas.airaksinen at gmail.com> wrote:
> When I type
>
> host crosswire.org it gives me ip 209.250.6.226.
>
> When I fetch ssl cert for that ip (openssl s_client -connect
> 209.250.6.226:443), it gives cert with CN www.ancc-gan.de.
>
> This confuses And Bible on Android 5 (lollipop), as host name checking will
> fail to
>
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <crosswire.org>
> doesn't match any of the subject alternative names: [www.ancc-gan.de]
>
> In more recent Android versions it works properly.
>
> Now for Android 5 I have made exception such that host name verification is
> bypassed, but that's not neat nor secure.
>
> --
> T: Tuomas
More information about the sword-devel
mailing list