[guardian-dev] SNI with NetCipher's HttpsURLConnection
Hans-Christoph Steiner
hans at guardianproject.info
Fri Mar 18 06:52:09 EDT 2016
Mark Murphy:
> On Wed, Mar 2, 2016, at 16:31, cketti wrote:
>> On 24.02.2016 21:12, Hans-Christoph Steiner wrote:
>>> Anyone have any pointers? NetCipher should really fully support SNI.
>>
>> This might help: https://github.com/k9mail/k-9/pull/718
>
> HttpClient has the same SNI problem, even without NetCipher. Their fix
> (https://wiki.apache.org/HttpComponents/SNISupport) is akin to yours.
>
> I really dislike using reflection hacks for workarounds, but I'm
> guessing that there aren't other options here.
>
> Thanks for pointing this out!
I think that using reflection to bring old platforms up to standard is
worth doing. The risks of it breaking in the future are very low, since
the old platforms are unlikely to change, especially with Android, where
the lack of updates is the real problem.
In K-9, this situation is easier to do since they are just dealing with
direct SSLSocket instances. With NetCipher, we're dealing with the HTTP
APIs, so for example, to change the SocketFactory with
HttpURLConnection, we have to provide an instance of SSLSocketFactory, i.e.:
HttpsURLConnection.setSSLSocketFactory()
Also, to use the K-9 technique that does not use reflection,
TlsOnlySocketFactory will need to be a subclass of
SSLCertificateSocketFactory rather than SSLSocketFactory. I think
that's probably the best approach.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the guardian-dev
mailing list