Apache的HttpClient的获取新的域名后，产生异常SSLException [英] Apache HttpClient generates SSLException after acquiring new domain name

问题描述

最近，我获得了一个新域名与一个现有的Andr​​oid应用程序中使用。我也买了SSL证书由受信任的CA（魔岛）。当我浏览到新域通过Web浏览器，一切正常 - 没有关于SSL证书错误。同样的， HttpURLConnection类，但由于某些原因阿帕奇的HttpClient 生成异常SSLException：

Recently I acquired a new domain name to use with an existing Android application. I also bought SSL certificate from a trusted CA (Comodo). When I browse to the new domain with a web browser, everything works as expected - no errors about SSL certificate. Same with HttpUrlConnection, but for some reason Apaches HttpClient generates an SSLException:

javax.net.ssl​​.SSLException：主机名的证书不匹配：my.new.domain = my.old.domain OR my.old.domain

javax.net.ssl.SSLException: hostname in certificate didn't match: my.new.domain != my.old.domain OR my.old.domain

更有趣的是，一些我工作的罚款尝试了大约一个星期后的变化，并停止后工作的设备。其他设备停止马上工作。

What's more interesting, some of the devices that I tried with worked fine for about a week after the change, and stopped working after that. Other devices stopped working right away.

如果我在使用客户端code中的老域名，一切正常。

If I use the old domain name in client code, everything works correctly.

我使用的是4.3.3版本的从这里 HttpClient的为Android的。我认识到，转换成HttpURLConnection类的确会解决我的问题，但我感兴趣的是为什么会这样 - 从哪里呢HttpClient的拿起旧域名？它是在服务器上的一些错误配置，或不阿帕奇的HttpClient有一些内部DNS缓存的？用新的模拟器实例测试提出了同样的异常，所以这个问题是不相关的缓存。

I'm using version 4.3.3 from here of the HttpClient for Android. I realize that converting to HttpUrlConnection would indeed solve my problem, but I'm interested in WHY this is happening - from where does the HttpClient pick up the old domain name? Is it some misconfiguration on the server, or does Apaches HttpClient have some sort of internal dns cache? Testing with a fresh emulator instance raised the same exception, so the problem is not related to caching.

我自己的调查卡住了 - 所有我能找到的是自签名证书完全禁用主机名验证指令或指令

My own investigations got stuck - all I could find was instructions for disabling hostname verification completely, or instructions for self-signed certificates.

推荐答案

这可能是因为Apache的HttpClient不支持SNI（服务器名称指示），在那里你可以有相同的IP地址后面多个证书。这意味着，它不会发送目标主机名的SSL握手内，因而服务器只有目标IP地址来决定它应该使用的证书，只是使用的IP默认证书 - 这可能是错误的

That's probably because Apache HttpClient does not support SNI (server name indication), where you can have multiple certificates behind the same IP address. This means, that it does not send the target hostname inside the SSL handshake and thus the server has only the target IP address to decide which certificate it should use and just uses the default certificate for the IP - which is probably the wrong one.

这篇关于Apache的HttpClient的获取新的域名后，产生异常SSLException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！