From 317c0a4959df0361431d5fbf7dacc162bfb48cd2 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Tue, 12 May 2015 15:13:50 -0700 Subject: Start handshake before calling hostname verifier If the hostname verifier calls SSLSocket#getSession() before the handshake has been started, it will implicitly start the handshake. However, it will swallow any errors and return the canonical invalid SSLSession instead. This makes it extremely difficult to debug issues. Instead start the handshake before calling into the verifier since we are guaranteed to be the first caller of #startHandshake() and won't cause a renegotiation. That will allow us to see the actual SSLHandshakeException if it occurs. Bug: 14975169 Bug: 17332309 Bug: 17524215 Bug: 17812533 Bug: 18507278 Bug: 19069992 Bug: 19378885 Bug: 19414083 Bug: 19550311 Bug: 19731556 Bug: 19853723 Bug: 20908941 Change-Id: Ie74ec12c8b131c7bf400a07fc91c78da4d5e470f --- src/org/apache/http/conn/ssl/SSLSocketFactory.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/org/apache/http/conn/ssl/SSLSocketFactory.java b/src/org/apache/http/conn/ssl/SSLSocketFactory.java index 1e46fee..0b5aa37 100644 --- a/src/org/apache/http/conn/ssl/SSLSocketFactory.java +++ b/src/org/apache/http/conn/ssl/SSLSocketFactory.java @@ -330,6 +330,14 @@ public class SSLSocketFactory implements LayeredSocketFactory { sslsock.setSoTimeout(soTimeout); try { + // BEGIN android-added + /* + * Make sure we have started the handshake before verifying. + * Otherwise when we go to the hostname verifier, it directly calls + * SSLSocket#getSession() which swallows SSL handshake errors. + */ + sslsock.startHandshake(); + // END android-added hostnameVerifier.verify(host, sslsock); // verifyHostName() didn't blowup - good! } catch (IOException iox) { -- cgit v1.2.3