Apache HTTP Client and SNI

  • As per https://developer.android.com/training/articles/security-ssl.html#SelfSigned

    "Unfortunately this can happen for another reason as well: virtual hosting. When sharing a server for more than one hostname with HTTP, the web server can tell from the HTTP/1.1 request which target hostname the client is looking for. Unfortunately this is complicated with HTTPS, because the server has to know which certificate to return before it sees the HTTP request. To address this problem, newer versions of SSL, specifically TLSv.1.0 and later, support Server Name Indication (SNI), which allows the SSL client to specify the intended hostname to the server so the proper certificate can be returned.

    Fortunately, HttpsURLConnection supports SNI since Android 2.3. Unfortunately, Apache HTTP Client does not, which is one of the many reasons we discourage its use. One workaround if you need to support Android 2.2 (and older) or Apache HTTP Client is to set up an alternative virtual host on a unique port so that it’s unambiguous which server certificate to return."

    Any idea if a change from Apache HTTP to HttpsURLConnection will occur?

  • developer

    Any idea if a change from Apache HTTP to HttpsURLConnection will occur?

    Impossible. I have used HttpsURLConnection in the beginning just to discover that it doesn’t support required HTTP verbs like PROPFIND and REPORT.

    However, SNI support is available in DAVdroid (except for the rare case of HTTPS proxies), so what’s the problem?

  • developer

  • Thanks.

Log in to reply

Similar topics

  • 6
  • 4
  • 24