avax.net.ssl.SSLException: hostname in certificate didn't match: <fbcdn-profile-a.akamaihd.net> != <a248.e.akamai.net> #5
Description
Stack trace:
E/ (14495): javax.net.ssl.SSLException: hostname in certificate didn't match: <fbcdn-profile-a.akamaihd.net> != <a248.e.akamai.net>
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:222)
E/ (14495): at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:151)
E/ (14495): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:132)
E/ (14495): at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:321)
E/ (14495): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:129)
E/ (14495): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
E/ (14495): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
E/ (14495): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
E/ (14495): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
E/ (14495): at com.nloko.android.Utils.downloadPictureAsStream(Utils.java:291)
E/ (14495): at com.nloko.android.Utils.downloadPictureAsStream(Utils.java:263)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.processUser(SyncService.java:380)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.doInBackground(SyncService.java:536)
E/ (14495): at com.nloko.android.syncmypix.SyncService$SyncTask.doInBackground(SyncService.java:1)
E/ (14495): at android.os.AsyncTask$2.call(AsyncTask.java:185)
E/ (14495): at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
E/ (14495): at java.util.concurrent.FutureTask.run(FutureTask.java:137)
E/ (14495): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068)
E/ (14495): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561)
E/ (14495): at java.lang.Thread.run(Thread.java:1102)
See https://github.com/android/platform_external_apache-http/blob/0975baec4ae0bb71b750180ca550b747cb1c3cd5/src/org/apache/http/conn/ssl/AbstractVerifier.java for code issuing the exception.
To me, it seems that the subject alternative names are not getting picked up for some reason. If you look at the URL for a photo, it looks something like this:
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-snc4/xxxx.jpg
If you look a the certificate, it has SANs for the following domains:
a248.e.akamai.net
*.akamaihd.net
*.akamaihd-staging.net
So, it should pass verification, but it doesn't because AbstractVerifier doesn't see the SANs.