1

This issue in the Android bug tracker seems to suggest that SNI has been part of the Android OS now for some time so I'm surprised to find that visiting our CloudFlare Flexible-SSL enabled site throws a security warning in the Facebook android app, when using it's built-in browser. If I switch to the external Chrome browser it's fine. If I use Chrome or the stock browser it's also fine. Same page/site from Facebook on iOS - no issue.

Has any one else experienced this with CloudFlare Flexible-SSL (that utilises SNI), particularly for Facebook on Android?

Andre Lackmann
  • 426
  • 2
  • 6
  • 2
    Which Android version? – ceejayoz Jun 01 '15 at 02:22
  • On Android 4.1.2 (which is quite old by now), the default browser supports SNI. But when testing an application which is much newer than the Android 4.1.2 it is running on, I see no SNI support. So it is up to each application to support SNI. However the facebook application does support SNI when running on this Android version. – kasperd Jun 01 '15 at 07:06
  • I was testing on a Samsung Note 4, running Android 4.4.4. @kasperd are you saying you didn't see any issue accessing an SNI hosted SSL certificate site via the FB app? – Andre Lackmann Jun 02 '15 at 03:12
  • @AndreLackmann I have not performed a thorough test. I just tested enough to verify that SNI app does depend on the app (i.e. two apps on the same Android version with SNI support in one and not the other). – kasperd Jun 02 '15 at 05:28

1 Answers1

1

SNI support is in HttpsURLConnection for a while. But if you do anything more advanced you are probably using the Apache HTTPClient library and Android SDK contains only an old version which does not support SNI. To make use of SNI you have to be aware of it and then you can work around this limitation, see http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache.

Steffen Ullrich
  • 13,227
  • 27
  • 39