HttpClient获取新域名后产生SSLException [英] HttpClient generates SSLException after acquiring new domain name

问题描述

最近我获得了一个新域名，用于现有的 Android 应用程序.我还从受信任的 CA (Comodo) 购买了 SSL 证书.当我使用 Web 浏览器浏览到新域时，一切都按预期工作 - 没有关于 SSL 证书的错误.与 HttpUrlConnection 相同，但出于某种原因，Apaches HttpClient 生成 SSLException:

Recently I acquired a new domain name to use with an existing Android application. I also bought SSL certificate from a trusted CA (Comodo). When I browse to the new domain with a web browser, everything works as expected - no errors about SSL certificate. Same with HttpUrlConnection, but for some reason Apaches HttpClient generates an SSLException:

javax.net.ssl.SSLException: 证书中的主机名不匹配:my.new.domain != my.old.domain OR my.old.domain

javax.net.ssl.SSLException: hostname in certificate didn't match: my.new.domain != my.old.domain OR my.old.domain

更有趣的是，我尝试使用的一些设备在更改后可以正常工作大约一周，然后就停止工作了.其他设备立即停止工作.

What's more interesting, some of the devices that I tried with worked fine for about a week after the change, and stopped working after that. Other devices stopped working right away.

如果我在客户端代码中使用旧域名，则一切正常.

If I use the old domain name in client code, everything works correctly.

我使用的是 4.3.3 版 从这里.我意识到转换为 HttpUrlConnection 确实可以解决我的问题，但我对为什么会发生这种情况感兴趣 - HttpClient 从哪里获取旧域名?是服务器上的一些错误配置，还是 Apaches HttpClient 有某种内部 dns 缓存?使用新的模拟器实例进行测试引发了相同的异常，因此问题与缓存无关.

I'm using version 4.3.3 from here of the HttpClient for Android. I realize that converting to HttpUrlConnection would indeed solve my problem, but I'm interested in WHY this is happening - from where does the HttpClient pick up the old domain name? Is it some misconfiguration on the server, or does Apaches HttpClient have some sort of internal dns cache? Testing with a fresh emulator instance raised the same exception, so the problem is not related to caching.

我自己的调查陷入了困境 - 我能找到的只是完全禁用主机名验证的说明，或自签名证书的说明.

My own investigations got stuck - all I could find was instructions for disabling hostname verification completely, or instructions for self-signed certificates.

推荐答案

这可能是因为 Apache HttpClient 不支持 SNI(服务器名称指示)，您可以在同一个 IP 地址后面拥有多个证书.这意味着，它不会在 SSL 握手中发送目标主机名，因此服务器只有目标 IP 地址来决定它应该使用哪个证书，并且只使用 IP 的默认证书 - 这可能是错误的.

That's probably because Apache HttpClient does not support SNI (server name indication), where you can have multiple certificates behind the same IP address. This means, that it does not send the target hostname inside the SSL handshake and thus the server has only the target IP address to decide which certificate it should use and just uses the default certificate for the IP - which is probably the wrong one.

这篇关于HttpClient获取新域名后产生SSLException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！