[sword-devel] SSL mystery @ crosswire.org

[Tuomas Airaksinen]

Looks like it's not supported properly when using apache's httpclient5. But
when using HttpsUrlConnection, SNI is supported since android 2.3.
So it looks like I have found a solution (more GH issue). Thank you for
leading me to the right track.

https://developer.android.com/training/articles/security-ssl#CommonProblems



On Thu, Sep 17, 2020 at 5:27 PM Chris Umphress <umphress at gmail.com> wrote:

> If you pull the SSL certificate for an IP address, the server typically
> sends you the default, configured certificate.
>
> I am curious about why Android 5 would request the certificate by IP
> address only. Does it not support the Server Name Indication?:
>
>
> http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
>
> Chris Umphress
>
>
> On Thu, 17 Sep 2020 16:19:25 +0300
> Tuomas Airaksinen <tuomas.airaksinen at gmail.com> wrote:
>
> > When I type
> >
> > host crosswire.org it gives me ip 209.250.6.226.
> >
> > When I fetch ssl cert for that ip (openssl s_client -connect
> > 209.250.6.226:443), it gives cert with CN www.ancc-gan.de.
> >
> > This confuses And Bible on Android 5 (lollipop), as host name checking
> will
> > fail to
> >
> >  javax.net.ssl.SSLPeerUnverifiedException: Certificate for <
> crosswire.org>
> > doesn't match any of the subject alternative names: [www.ancc-gan.de]
> >
> > In more recent Android versions it works properly.
> >
> > Now for Android 5 I have made exception such that host name verification
> is
> > bypassed, but that's not neat nor secure.
> >
> > --
> > T: Tuomas
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page
>


-- 
T: Tuomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://crosswire.org/pipermail/sword-devel/attachments/20200917/de53f1c9/attachment.html>