Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HttpsURLConnection: SSL resumption not working

Tags:

android

https

ssl

I'm trying to set up SSL (with SSL resumption) using HttpsURLConnection with my own trust manager.

I am only able to perform ssl handshakes and connections. No SSL resumption - The previous sessions are never reused!

I searched all over, but no luck. All answers refer to HttpClient (which is not an option).

My setup is as follows:

  • I create an SSL Context which I store for later use.

  • I then create an SSL Factory using this SSL context which I also store for it to be used with all connections.

  • I start a connection where everything goes well: I receive a sessionID, a complete handshake is done and the connection is sent to the server.

  • One minute later, I start another connection. For some weird reason, this connection does not send the sessionID I had earlier. I print the SSLContext's session - The last session is still there and is valid. For some reason this new connection does not use it, thus another session is created and is added to the sessions' cache.

I tried both android version 2.3 and 4.1 as well on 2 different devices.

Following many google results I even tried to add Keep-Alive as some users proposed, as well as other voodoo that led to no different results.

Did anyone run into this? Is there something I'm missing?

What could cause my connections not to use the last session?

Thanks in advance!

like image 994
Branchitos Avatar asked Jan 15 '13 12:01

Branchitos


1 Answers

What you'd like to do is use reflection to override members in class android.net.SSLCertificateSocketFactory, the members are:

  1. HOSTNAME_VERIFIER
  2. mTrustManagers
  3. mKeyManagers

Do it by getting the class:

Class<?> sslClass = Class.forName("android.net.SSLCertificateSocketFactory");
Field classField = sslClass.getDeclaredField("defaultTrustManager");
classField.setAccessible(true);
classField.set(null /*If Feild is static*/, youObjectHere /*Needs casting*/);
classField.set(objectInstance /*If Feild is not static*/, youObjectHere /*Needs casting*/);

and then:

Override these with you own variables. This will allow for SSL resumption for Android API 14 and above (I tested on 14).

BEWARE

You'd need to maintain this code and keep up with any changes Google might do.

Hope it helped! Good luck!

like image 82
Assaf Gamliel Avatar answered Oct 25 '22 15:10

Assaf Gamliel