Looks like it's not supported properly when using apache's httpclient5. But when using HttpsUrlConnection, SNI is supported since android 2.3. So it looks like I have found a solution (more GH issue). Thank you for leading me to the right track.
https://developer.android.com/training/articles/security-ssl#CommonProblems On Thu, Sep 17, 2020 at 5:27 PM Chris Umphress <umphr...@gmail.com> wrote: > If you pull the SSL certificate for an IP address, the server typically > sends you the default, configured certificate. > > I am curious about why Android 5 would request the certificate by IP > address only. Does it not support the Server Name Indication?: > > > http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html > > Chris Umphress > > > On Thu, 17 Sep 2020 16:19:25 +0300 > Tuomas Airaksinen <tuomas.airaksi...@gmail.com> wrote: > > > When I type > > > > host crosswire.org it gives me ip 209.250.6.226. > > > > When I fetch ssl cert for that ip (openssl s_client -connect > > 209.250.6.226:443), it gives cert with CN www.ancc-gan.de. > > > > This confuses And Bible on Android 5 (lollipop), as host name checking > will > > fail to > > > > javax.net.ssl.SSLPeerUnverifiedException: Certificate for < > crosswire.org> > > doesn't match any of the subject alternative names: [www.ancc-gan.de] > > > > In more recent Android versions it works properly. > > > > Now for Android 5 I have made exception such that host name verification > is > > bypassed, but that's not neat nor secure. > > > > -- > > T: Tuomas > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page > -- T: Tuomas
_______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
