HttpClient获取新域名后生成SSLException [英] HttpClient generates SSLException after acquiring new domain name

问题描述

最近，我获得了一个新域名，可用于现有的Android应用程序.我还从受信任的CA(Comodo)购买了SSL证书.当我使用网络浏览器浏览到新域时，一切都会按预期进行-没有关于SSL证书的错误.与HttpUrlConnection相同，但是由于某些原因，Apaches HttpClient会生成SSLException:

Recently I acquired a new domain name to use with an existing Android application. I also bought SSL certificate from a trusted CA (Comodo). When I browse to the new domain with a web browser, everything works as expected - no errors about SSL certificate. Same with HttpUrlConnection, but for some reason Apaches HttpClient generates an SSLException:

javax.net.ssl.SSLException:证书中的主机名不匹配:my.new.domain！= my.old.domain或my.old.domain

javax.net.ssl.SSLException: hostname in certificate didn't match: my.new.domain != my.old.domain OR my.old.domain

更有趣的是，我尝试使用的某些设备在更改后大约一周可以正常工作，然后停止工作.其他设备立即停止工作.

What's more interesting, some of the devices that I tried with worked fine for about a week after the change, and stopped working after that. Other devices stopped working right away.

如果我在客户端代码中使用旧域名，则一切正常.

If I use the old domain name in client code, everything works correctly.

我正在从此处使用版本4.3.3 .我意识到转换为HttpUrlConnection确实可以解决我的问题，但是我对为什么会这样感兴趣-HttpClient从何处获取旧域名?是服务器上的某些错误配置，还是 Apaches HttpClient是否具有某种内部dns缓存?使用新的仿真器实例进行测试会引发相同的异常，因此该问题与缓存无关.

I'm using version 4.3.3 from here of the HttpClient for Android. I realize that converting to HttpUrlConnection would indeed solve my problem, but I'm interested in WHY this is happening - from where does the HttpClient pick up the old domain name? Is it some misconfiguration on the server, or does Apaches HttpClient have some sort of internal dns cache? Testing with a fresh emulator instance raised the same exception, so the problem is not related to caching.

我自己的调查陷入困境-我只能找到完全禁用主机名验证的说明或有关自签名证书的说明.

My own investigations got stuck - all I could find was instructions for disabling hostname verification completely, or instructions for self-signed certificates.

推荐答案

这可能是因为Apache HttpClient不支持SNI(服务器名称指示)，在SNI中您可以在同一个IP地址后面包含多个证书.这意味着，它不会在SSL握手中发送目标主机名，因此服务器仅具有目标IP地址来决定应使用的证书，而仅对IP使用默认证书-可能是错误的.

That's probably because Apache HttpClient does not support SNI (server name indication), where you can have multiple certificates behind the same IP address. This means, that it does not send the target hostname inside the SSL handshake and thus the server has only the target IP address to decide which certificate it should use and just uses the default certificate for the IP - which is probably the wrong one.

这篇关于HttpClient获取新域名后生成SSLException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！