我们如何在Android的HttpClient 4.4+中启用SNI?

本文介绍了我们如何在Android的HttpClient 4.4+中启用SNI?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在尝试制定在现代版本的Android上将SNI与主要HTTP堆栈结合使用的方法.这包括Apache的单独的HttpClient库( not 嵌入到Android本身的版本，该版本已经死了).

I am trying to work out recipes for using SNI with major HTTP stacks on modern versions of Android. This includes Apache's separate HttpClient library (not the version baked into Android itself, which is dead and gone).

似乎HttpClient的最新版本不支持开箱即用的SNI.当我使用'cz.msebera.android:httpclient:4.4.1.1'工件时，我得到:

It appears that recent versions of HttpClient do not support SNI out of the box. When I use the 'cz.msebera.android:httpclient:4.4.1.1' artifact, I get:

javax.net.ssl.SSLPeerUnverifiedException: Host name '...' does not match the certificate subject provided by the peer (CN=...)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:466)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)

(用...修改的主机名)

此HttpClient问题具有一些旨在解决此问题的代码.但是，目前尚不清楚如何使用它. 此堆栈溢出"答案对实现有帮助.但是，这又崩溃了，并带有一个等效的异常:

This HttpClient issue has some code that purports to address this. However, it is not clear exactly how to use it. This Stack Overflow answer helps a bit with an implementation. However, that in turn crashes with an equivalent exception:

javax.net.ssl.SSLPeerUnverifiedException: Host name '' does not match the certificate subject provided by the peer (CN=...)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:466)
at cz.msebera.android.httpclient.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)

这并不令我惊讶.提议的解决方法(用空字符串替换真实的主机名)使我感到很奇怪.

This does not surprise me. The proposed workaround (replace the real host name with the empty string) struck me as rather odd.

此堆栈溢出问题和-答案基本上说使用Java 1.7"，这对于Android来说不是一个可行的选择.

This Stack Overflow question-and-answer basically say "use Java 1.7", which is not a viable option for Android.

那么，有没有人制定出在兼容Android的HttpClient 4.4+环境中启用SNI的秘诀?

So, has anyone worked out a recipe for enabling SNI with an Android-compatible HttpClient 4.4+ environment?

推荐答案

尝试使用此版本的 SSLConnectionSocketFactory ，而不是Marek Sebera的HttpClient分支附带的版本.它包含特定于Andriod的代码.上一次我使用HttpClient 4.3的官方Apache端口测试SNI时，它工作得很好.

Try using this version of SSLConnectionSocketFactory instead of the one shipped with Marek Sebera's fork of HttpClient. It contains this Andriod specific bit of code. Last time I tested SNI with the official Apache port of HttpClient 4.3 it worked just fine.

// Android specific code to enable SNI
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
    if (Log.isLoggable(TAG, Log.DEBUG)) {
        Log.d(TAG, "Enabling SNI for " + target);
    }
    try {
        Method method = sslsock.getClass().getMethod("setHostname", String.class);
        method.invoke(sslsock, target);
    } catch (Exception ex) {
        if (Log.isLoggable(TAG, Log.DEBUG)) {
            Log.d(TAG, "SNI configuration failed", ex);
        }
    }
}
// End of Android specific code

这篇关于我们如何在Android的HttpClient 4.4+中启用SNI?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！