Android SSL - SNI support

Asked 4/5, 2011 at 7:19 Answered 16/3, 2018 at 9:7

I would like to know about the support for the SSL/TLS Server Name Indication (SNI) extension in the Android SDK.

Licorice answered 4/5, 2011 at 7:19 Comment(1)

even now, a number of android http library do not support SNI, i just ran into a problem, not realizing its SNI, as i keep getting fail SSL Handshake, and the moment SNI is disabled, it all works, just a note, connecting using 'HttpsURLConnection' works as it (i believe) uses OKHTTP which also supports SNI. – Apologetics 22/8, 2016 at 0:37

As far as I know, there is a partial support in Android SDK. The current situation is the following:

Since the Gingerbread release TLS connection with the HttpsURLConnection API supports SNI.
Apache HTTP client library shipped with Android does not support SNI
The Android web browser does not support SNI neither (since using the Apache HTTP client API)

There is an opened ticket regarding this issue in the Android bug tracker.

It is also possible to test the SNI support by making a connection to this URL: https://sni.velox.ch/

Aleppo answered 5/5, 2011 at 9:18 Comment(3)

Hi Jcs, Thanks for the help. I have tried the sni.velox.ch link using SSLCONTEXT(TLS) and SSLENGINE class available in the android sdk. I am getting the handshake. But the same code is not working on our testing server. Is there anything to do with the server? Please help me out with this. – Licorice 5/5, 2011 at 14:41

I am getting this following error: Error negotiating SSL connection. java.io.IOException: SSL handshake failure: Failure in SSL library, usually a protocol error SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:580 0xaf589bac:0x00000000)” – Licorice 8/5, 2011 at 5:43

It seems to be a problem with the server answer. Maybe the server SNI support is not enabled. I guess that the server log may give you more information. – Aleppo 8/5, 2011 at 7:31

Fortunately, HttpsURLConnection supports SNI since Android 2.3. One workaround if you need to support Android 2.2 (and older) is to set up an alternative virtual host on a unique port so that it's unambiguous which server certificate to return.

Please check this link for more information. Hope this will help future users.

Just for information

Newer versions of SSL, specifically TLSv.1.0 and later, support Server Name Indication (SNI), which allows the SSL client to specify the intended hostname to the server so the proper certificate can be returned.

Evyn answered 16/3, 2018 at 9:7 Comment(0)

Recommended topics

Hot tags