Android Ssl - Sni Support

Why does android get the wrong ssl certificate? (two domains, one server)

The most likely cause for this problem is that the server uses Server Name Indication to choose which certificate to send. If the client doesn't support SNI, the server cannot choose which certificate to send during the SSL/TLS handshake (before any HTTP traffic is sent). SNI is required when you want to use multiple certificates on the same IP address and port, but not all clients support it (notoriously, IE on any version of Windows XP, and a number of mobile browsers).

You're also visibly using the Apache HTTP Client library (not HttpsURLConnection, for which there can be SNI support with some Android versions.
Support for SNI in the Apache HTTP Client library is quite recent, and certainly hasn't made it into the Android stack.

You may find the workaround described in this article useful (although it seems only to work for Android 4.2+).

Another two options would be:

  • to use a distinct IP address for each host (so as not to need SNI), if you're in control of server, or
  • to use another HTTP Client library (e.g. HttpsURLConnection).

How Do We Enable SNI in HttpClient 4.4+ on Android?

Try using this version of SSLConnectionSocketFactory instead of the one shipped with Marek Sebera's fork of HttpClient. It contains this Andriod specific bit of code. Last time I tested SNI with the official Apache port of HttpClient 4.3 it worked just fine.

// Android specific code to enable SNI
if (Log.isLoggable(TAG, Log.DEBUG)) {
Log.d(TAG, "Enabling SNI for " + target);
try {
Method method = sslsock.getClass().getMethod("setHostname", String.class);
method.invoke(sslsock, target);
} catch (Exception ex) {
if (Log.isLoggable(TAG, Log.DEBUG)) {
Log.d(TAG, "SNI configuration failed", ex);
// End of Android specific code

Related Topics

Leave a reply