Add SNI Fix

[commonsguy]

This 4.3.5.1 edition of SSLSocketConnectionFactory has a code snippet that enables SNI support on Android:

// Android specific code to enable SNI
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
    if (Log.isLoggable(TAG, Log.DEBUG)) {
        Log.d(TAG, "Enabling SNI for " + target);
    }
    try {
        Method method = sslsock.getClass().getMethod("setHostname", String.class);
        method.invoke(sslsock, target);
    } catch (Exception ex) {
        if (Log.isLoggable(TAG, Log.DEBUG)) {
            Log.d(TAG, "SNI configuration failed", ex);
        }
    }
}
// End of Android specific code

It would be cool if this were in your build as well. Based on some experiments, it seems to work, when placed in the equivalent spot in a 4.4.1-based edition of SSLSocketConnectionFactory.

Thanks!

[ok2c]

+1 from me

[smarek]

Thank you, I'll do some test cases and update respective builds.

[smarek]

@commonsguy I was able to verify taht the patch works. In patched tag (branch v4.3.x) v4.3.6.1 you can see the first application.

Also due to patch being applied only to SSLConnectionSocketFactory, solutions using deprecated SSLSocketFactory will still fail to provide SNI support.

Test case I've used to verify

public final class SSLTask extends AsyncTask<Void, Void, Void> {
    public static final String TAG = "SSLTask";

    @Override
    protected Void doInBackground(Void... params) {
        Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
                .register("https", SSLConnectionSocketFactory.getSocketFactory())
                .build();
        HttpClientConnectionManager cm = new BasicHttpClientConnectionManager(registry);
        CloseableHttpClient cl = HttpClientBuilder.create()
                .setSSLSocketFactory(SSLConnectionSocketFactory.getSocketFactory())
                .setConnectionManager(cm)
                .build();
        try {
            CloseableHttpResponse resp = cl.execute(new HttpGet("https://alice.sni.velox.ch"));
            Log.d(TAG, resp.getStatusLine().getReasonPhrase());
            System.out.print(EntityUtils.toString(resp.getEntity()));
            resp.close();
        } catch (IOException e) {
            Log.e(TAG, "request error", e);
        }
        try {
            cl.close();
        } catch (IOException e) {
            Log.e(TAG, "close error", e);
        }
        return null;
    }
}

With response

<h2>TLS SNI Test Site: alice.sni.velox.ch</h2>
<p><strong>Great! Your client </strong>[Apache-HttpClient/UNAVAILABLE (java 1.5)] <strong> 
sent the following TLS server name indication extension
(<a href="http://www.rfc-editor.org/rfc/rfc6066.txt">RFC 6066</a>)
in its ClientHello </strong>(negotiated protocol: TLSv1.2, cipher suite: ECDHE-RSA-AES128-GCM-SHA256)<strong>:</strong></p>
<pre>  <strong>alice.sni.velox.ch</strong></pre>
<p>In your request, this header was included:</p>
<pre>  Host: alice.sni.velox.ch</pre>

[smarek]

Same solution was ported to v3.4.x branch (94df6a1)

Closing this as fixed, thank you for contribution!

[smarek]

Patch releases 4.4.1.2 and 4.3.6.1 were published to Maven Central minutes ago.

[commonsguy]

Great! I will give it a try in the coming weeks!

[miku-nyan]

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {

Why jelly bean? Android supports SNI since gingerbread (2.3).

documentation:
http://developer.android.com/intl/ru/training/articles/security-ssl.html
source code:
https://android.googlesource.com/platform/libcore/+/android-2.3_r1/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java#1049