SSLException當服務器證書使用SAN（主題備用名稱）

Question

我試圖建立一個使用org.apache.http。*中的類的https連接。由於我設置的一部分，我用它規定了BrowserCompatHostnameVerifier（）類：

The hostname must match either the first CN, or any of the subject-alts. A wildcard can occur in the CN, and in any of the subject-alts.

當我打了誰的服務器的主機名不匹配，這是在CN規定，但確實條目匹配一個在主題ALTS，我得到以下異常：

javax.net.ssl.SSLException: hostname in certificate didn't match: <mtvniph1-f.akamaihd.net> != <a248.e.akamai.net> 
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:222) 
    at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) 
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:151) 
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:132) 
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321) 

下面是相關的代碼塊是造成此錯誤：

DefaultHttpClient seed = new DefaultHttpClient(); 
SchemeRegistry registry = new SchemeRegistry(); 

SSLSocketFactory ssf = SSLSocketFactory.getSocketFactory(); 

// XXX: This verifier isn't working with Subject Alternative Names 
ssf.setHostnameVerifier(new BrowserCompatHostnameVerifier()); 

registry.register(new Scheme("https", ssf, 443)); 

SingleClientConnManager mgr = new SingleClientConnManager(seed.getParams(), registry); 
DefaultHttpClient http = new DefaultHttpClient(mgr, seed.getParams()); 

// Config point, change to your preference 
String url = "https://mtvniph1-f.akamaihd.net/e3_ubisoft_prod0.m3u8"; 

HttpGet method = new HttpGet(url); 

HttpResponse response = null; 
try 
{ 
    response = http.execute(method); 
} 
catch (Exception e) 
{ 
    Log.e(TAG, "Request failed", e); 
} 

比較這一行爲和磨片你用「https://www.google.com」替換網址。我可以通過創建自己的X509HostnameVerifier來解決此問題，但是我想知道這是否是BrowserCompatHostnameVerifier中的有效錯誤，或者如果我做錯了什麼。

其他人有類似的問題？

Answer 1

根據中繼AbstractVerifier.java，它沒有拿起你的subjectAltName（它列出了它在異常中找到的所有名稱）。 openssl s_client -connect mtvniph1-f.akamaihd.net:443 -showcerts表明它不是證書的問題。