avax.net.ssl.SSLException: hostname in certificate didn't match: <fbcdn-profile-a.akamaihd.net> != <a248.e.akamai.net>

Question

avax.net.ssl.SSLException: hostname in certificate didn't match: <fbcdn-profile-a.akamaihd.net> != <a248.e.akamai.net>

Opened this issue 13 years ago · 5 comments

Stack trace:

E/ (14495): javax.net.ssl.SSLException: hostname in certificate didn't match: <fbcdn-profile-a.akamaihd.net> != <a248.e.akamai.net>
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:222)
E/ (14495): at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:151)
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:132)
E/ (14495): at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321)
E/ (14495): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:129)
E/ (14495): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
E/ (14495): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
E/ (14495): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
E/ (14495): at com.nloko.android.Utils.downloadPictureAsStream(Utils.java:291)
E/ (14495): at com.nloko.android.Utils.downloadPictureAsStream(Utils.java:263)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.processUser(SyncService.java:380)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.doInBackground(SyncService.java:536)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.doInBackground(SyncService.java:1)
E/ (14495): at android.os.AsyncTask$2.call(AsyncTask.java:185)
E/ (14495): at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
E/ (14495): at java.util.concurrent.FutureTask.run(FutureTask.java:137)
E/ (14495): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068)
E/ (14495): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561)
E/ (14495): at java.lang.Thread.run(Thread.java:1102)

See https://github.com/android/platform_external_apache-http/blob/0975baec4ae0bb71b750180ca550b747cb1c3cd5/src/org/apache/http/conn/ssl/AbstractVerifier.java for code issuing the exception.

To me, it seems that the subject alternative names are not getting picked up for some reason. If you look at the URL for a photo, it looks something like this:
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc4/xxxx.jpg

If you look a the certificate, it has SANs for the following domains:
a248.e.akamai.net
*.akamaihd.net
*.akamaihd-staging.net

So, it should pass verification, but it doesn't because AbstractVerifier doesn't see the SANs.

Answer 1 · 2011-11-02T03:10:44.000Z

I should point out that this exception currently seems random. I don't get it on my phone. It could be related to location, maybe?

Answer 2 · 2011-11-03T03:24:16.000Z

In reply to muhsincan:

Man, that's quite a challenging problem for me, I do not even have the software to get these error messages. But I googled the problem and there seems to be many solutions since the problem is caused by a common repository, have a look at
http://en.wikibooks.org/wiki/WebObjects/Web_Services/How_to_Trust_Any_SSL_Certificate
and
http://stackoverflow.com/questions/3135679/android-httpclient-hostname-in-certificate-didnt-match-example-com-ex
I am just beginning to learn how to develop an android application so I need more time to solve these but I'm getting there.

Writing our own Verifier is a solution. But, before doing that, it'd be preferable to know, why doesn't the AbstractVerifier see the SANs?

Answer 3 · 2011-11-03T03:38:27.000Z

Recreating the problem is also problematic. I was just in touch with a user that reported the problem. I asked them to try going to the https://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc4/xxxx.jpg URL that caused the problem in the Android browser. As I expected, the browser presents them with the Security Warning dialog stating that the cert is from an Untrusted authority.

Answer 4 · 2011-11-03T03:53:42.000Z

Looking at this further, 78% of the app's users are running Android 2.2 or higher. All reports of this error are from earlier versions of Android. So, it may be an old bug that's been fixed in Android.

Answer 5 · 2011-11-03T04:07:31.000Z

Looking more like that may be the case:
http://code.google.com/p/android/issues/detail?id=8409&q=subjectAltName&colspec=ID%20Type%20Status%20Owner%20Summary%20Stars