[TIMOB-16468] Android: SSLException with certificate validation with HTTPClient with multiple virtual hosts

GitHub Issue	n/a
Type	Bug
Priority	Low
Status	Open
Resolution	Unresolved
Affected Version/s	Release 3.2.1
Fix Version/s	n/a
Components	Android
Labels	n/a
Reporter	David Benko
Assignee	Unknown
Created	2014-02-10T18:37:19.000+0000
Updated	2018-02-28T20:04:25.000+0000

Description

The HTTPClient fails to verify the SSL Certificate and I think I know the reason why. Log:

02-10 15:17:01.349: E/TiHttpClient(23844): (TiHttpClient-3) [2096,32252] HTTP Error (javax.net.ssl.SSLException): hostname in certificate didn't match: <host1.com> != <host2.com> OR <host2.com> OR <www.host2.com>
02-10 15:17:01.349: E/TiHttpClient(23844): javax.net.ssl.SSLException: hostname in certificate didn't match: <host1.com.br> != <host2.com> OR <host2.com> OR <www.host2.com>
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:185)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:95)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:653)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:637)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1287)
02-10 15:17:01.349: E/TiHttpClient(23844): 	at java.lang.Thread.run(Thread.java:856)

What is happening here is that I have 2 virtual hosts running on the same server, so when the HTTPClient is going to check the certificate, he is resolving host1.com to get the ip address and then connects and ask for the certificate without specifing the host. So by default the server return the certificate for host2.com. I have checked this and the HTTPClient correctly validates the SSL Certificate for host2.com because it is the default. This bug is on Android only. Enviorment: Titanium Studio 3.2.0.201312191547 Titanium SDK 3.2.0 Windows 7 Android device Samsung Galaxy S2 Android v4.2.2

Comments

Seth Toda 2014-02-14

Hello David, could you post some sample code that we can test to recreate the issue? Also, can you verify that your errors are still occurring on 3.2.1GA? Thanks, Seth
David Benko 2014-02-15

Yes, it still occurring on 3.2.1.
David Benko 2014-02-15

nginx version: nginx/1.4.3
Ritu Agrawal 2014-02-18

Moving this ticket to engineering as I can reproduce this issue with the provided URL on Android platform. Same URL works fine on iOS platform.
Wayne Bloore 2014-06-24

I'm having this same problem on 3.2.3. Web server is running Nginx 1.7. iOS works fine, but Android gets SSL certificate for default virtual host.
Achim Hoth 2014-11-20

Having the same problem in 3.4GA. Has someone found a workaround?

JSON Source