Closed gilbert1991 closed 8 years ago
dotsbb
commented
9 years ago As far as I know Apache HTTP Client used in Piwik SDK doesn't support Server Name Indication. Try to use a direct IP address instead if domain.
Meanwhile I'll try to change HTTP Client to new port of HttpClient for Android which support SNI and TLS v1.1/v1.2.
gilbert1991
commented
9 years ago I think it is the case I found on Stackoverflow: http://stackoverflow.com/questions/21956663/why-does-android-get-the-wrong-ssl-certificate-two-domains-one-server. Reference for others.
d4rken
commented
9 years ago From https://developer.android.com/training/articles/security-ssl.html
Fortunately, HttpsURLConnection supports SNI since Android 2.3. Unfortunately, Apache HTTP Client does not, which is one of the many reasons we discourage its use. One workaround if you need to support Android 2.2 (and older) or Apache HTTP Client is to set up an alternative virtual host on a unique port so that it's unambiguous which server certificate to return.
If we raise the minAPI to at least 8 (currently 7) this looks doeable without requiring extra 3rd party libs. If we look at user numbers in the wild, going minAPI 8 seems to no big deal.
dotsbb
commented
9 years ago @d4rken good to hear. I'll vote to bump minAPI to the 8 level. According to this chart 2.0-2.1 Eclair hits only 0.1% of users (testers perhaps? ;) )
d4rken
commented
9 years ago +1 from me too.
Hi, when I test on my piwik sever, I met error like below: javax.net.ssl.SSLException: hostname in certificate didn't match: analytics.test.com != test