elevenfive commented 11 years ago

https://gist.github.com/elevenfive/c5cab352ca368bba3087

Take a look! I confirmed this breaks on < 16. It doesn't break for all URLs. For example, Paypal's site doesn't expose the issue for some reason.

Important details:

1: The first test that runs creates a pinned connection which succeeds. The second test then tries to make another connection without pins. That 2nd test should not be able to make the connection but for some reason can.

2: You must attempt to use the stream returned during the test. This happens with the lines:

InputStreamReader isr = new InputStreamReader(respStream); String respString = readFully(isr);

Any ideas?

moxie0 commented 11 years ago

Thanks, could you submit a test case?

elevenfive commented 11 years ago

There is some sort of other strangeness going on - when I tried to replicate the problem directly in a test case in this project I was unable to do so.

moxie0 commented 11 years ago

Please keep me updated if you figure out what's happening.

elevenfive commented 11 years ago

I added a test case in a gist above. (I don't know if you got notified when i edited that comment or not)

moxie0 / AndroidPinning

Edge case on API < 16 #5

1: The first test that runs creates a pinned connection which succeeds. The second test then tries to make another connection without pins. That 2nd test should not be able to make the connection but for some reason can.

2: You must attempt to use the stream returned during the test. This happens with the lines: