我们如何在 Android 上的 HttpClient 4.4+ 中启用 SNI? [英] How Do We Enable SNI in HttpClient 4.4+ on Android?

问题描述

我正在尝试制定在现代版本的 Android 上使用 SNI 和主要 HTTP 堆栈的方法.这包括 Apache 的单独 HttpClient 库(不是嵌入到 Android 本身的版本，它已经死了，已经消失了).

I am trying to work out recipes for using SNI with major HTTP stacks on modern versions of Android. This includes Apache's separate HttpClient library (not the version baked into Android itself, which is dead and gone).

最近版本的 HttpClient 似乎不支持开箱即用的 SNI.当我使用 'cz.msebera.android:httpclient:4.4.1.1' 工件时，我得到:

It appears that recent versions of HttpClient do not support SNI out of the box. When I use the 'cz.msebera.android:httpclient:4.4.1.1' artifact, I get:

javax.net.ssl.SSLPeerUnverifiedException: Host name '...' does not match the certificate subject provided by the peer (CN=...)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:466)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)

(主机名用 ... 编辑)

这个 HttpClient 问题 有一些代码旨在解决这个问题.但是，具体如何使用并不清楚.此堆栈溢出答案 对实现有所帮助.但是，这反过来又会因等效的异常而崩溃:

This HttpClient issue has some code that purports to address this. However, it is not clear exactly how to use it. This Stack Overflow answer helps a bit with an implementation. However, that in turn crashes with an equivalent exception:

javax.net.ssl.SSLPeerUnverifiedException: Host name '' does not match the certificate subject provided by the peer (CN=...)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:466)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)

这并不让我感到惊讶.建议的解决方法(用空字符串替换真实主机名)让我觉得很奇怪.

This does not surprise me. The proposed workaround (replace the real host name with the empty string) struck me as rather odd.

这个堆栈溢出问题和-回答基本上是说使用 Java 1.7"，这对于 Android 来说不是一个可行的选择.

This Stack Overflow question-and-answer basically say "use Java 1.7", which is not a viable option for Android.

那么，有没有人想出在 Android 兼容的 HttpClient 4.4+ 环境中启用 SNI 的方法?

So, has anyone worked out a recipe for enabling SNI with an Android-compatible HttpClient 4.4+ environment?

推荐答案

尝试使用这个版本的 SSLConnectionSocketFactory 而不是 Marek Sebera 的 HttpClient 分支附带的那个.它包含这段 Andriod 特定的代码.上次我用 HttpClient 4.3 的官方 Apache 端口测试 SNI 时，它工作得很好.

Try using this version of SSLConnectionSocketFactory instead of the one shipped with Marek Sebera's fork of HttpClient. It contains this Andriod specific bit of code. Last time I tested SNI with the official Apache port of HttpClient 4.3 it worked just fine.

// Android specific code to enable SNI
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
    if (Log.isLoggable(TAG, Log.DEBUG)) {
        Log.d(TAG, "Enabling SNI for " + target);
    }
    try {
        Method method = sslsock.getClass().getMethod("setHostname", String.class);
        method.invoke(sslsock, target);
    } catch (Exception ex) {
        if (Log.isLoggable(TAG, Log.DEBUG)) {
            Log.d(TAG, "SNI configuration failed", ex);
        }
    }
}
// End of Android specific code

这篇关于我们如何在 Android 上的 HttpClient 4.4+ 中启用 SNI?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！