SNI support (fixes #9); only available for API level >= 17 (Android 4.2+)

res/values-de/strings.xml

@@ -39,7 +39,7 @@
        Play-Store bezogen haben</a> und Android 4.1 oder Samsung-Geräte (wie zB das Galaxy Note, Note 10.1, S2, S3, S4, …)
        benutzen, müssen Sie möglicherweise den
        <a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid.jbworkaround">DAVdroid JB Workaround</a>
-       installieren, um Datenverlust beim Neustart zu vermeiden (dies ist ein Android-Bug).</p>
+       installieren, um Datenverlust beim Neustart zu vermeiden (dies ist ein Android/Play Store-Bug).</p>
        
        <p>Weitere Informationen erhalten Sie auf der <a href="http://davdroid.bitfire.at?pk_campaign=davdroid-app&amp;pk_kwd=main-activity">DAVdroid-Homepage</a>.
        Dort finden Sie auch eine <a href="http://davdroid.bitfire.at/configuration?pk_campaign=davdroid-app&amp;pk_kwd=main-activity">Anleitung zum Einrichten</a>
@@ -54,7 +54,7 @@
 	   <p>DAVdroid ist von Anfang an als Open-Source-Projekt ausgelegt. Der Quellcode kann jederzeit selbst kompiliert und
 	   die App unter den Bedingungen der GPLv3 verwendet werden. Der Quellcode ist
 	   <a href="https://github.com/rfc2822/davdroid">auf Github verfügbar</a>, die App kann auch
-	   <a href="https://f-droid.org/app/at.bitfire.davdroid">über F-droid bezogen werden</a>.</p>
+	   <a href="https://f-droid.org/app/at.bitfire.davdroid">über F-Droid bezogen werden</a>.</p>
 	   
 	   <p>Es ist jedoch viel Arbeit, die App zu entwickeln und besser zu machen. Daher haben wir uns entschlossen, sie
 	   auch gegen eine kleine Gebühr in die Stores (Google Play,

res/values/strings.xml

@@ -20,10 +20,10 @@
     <string name="exception_io">I/O error: %s</string>
     <string name="exception_uri_syntax">Invalid URI: %s</string>
     <string name="exception_incapable_resource">Missing capabilities: %s</string>
-    <string name="neither_caldav_nor_carddav">neither CalDAV nor CardDAV available</string>
+    <string name="neither_caldav_nor_carddav">Neither CalDAV nor CardDAV available</string>
     <string name="error_principal_path">"Couldn't determine principal path (RFC 5397)"</string>
-    <string name="error_home_set_address_books">&quot;Couldn't determine address book home set&quot;</string>
+    <string name="error_home_set_address_books">"Couldn't determine address book home set"</string>
-    <string name="error_home_set_calendars">&quot;Couldn't determine calendar home set&quot;</string>
+    <string name="error_home_set_calendars">"Couldn't determine calendar home set"</string>
     <string name="add_account">Add account</string>
     <string name="querying_server">Querying server. Please wait…</string>
     <string name="exception_http">HTTP error: %s</string>
@@ -47,7 +47,7 @@
        Play Store</a> and use Android 4.1 or Samsung devices (for instance, Galaxy Note, Note 10.1, S2, S3, S4, …)
        you may have to install the
        <a href="https://play.google.com/store/apps/details?id=at.bitfire.davdroid.jbworkaround">DAVdroid JB Workaround</a>
-       to prevent data-loss on reboot (it\'s an Android bug).</p>
+       to prevent data-loss on reboot (it\'s an Android/Play Store bug).</p>
        
        <p>For more information, please see the <a href="http://davdroid.bitfire.at?pk_campaign=davdroid-app&amp;pk_kwd=main-activity">DAVdroid homepage</a>.
        There\'s a <a href="http://davdroid.bitfire.at/configuration?pk_campaign=davdroid-app&amp;pk_kwd=main-activity">Setup guide</a>, too. DAVdroid respects

src/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java

@@ -0,0 +1,79 @@
+package at.bitfire.davdroid.webdav;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+
+import org.apache.http.conn.scheme.LayeredSocketFactory;
+import org.apache.http.params.HttpParams;
+
+import android.annotation.TargetApi;
+import android.net.SSLCertificateSocketFactory;
+import android.os.Build;
+import android.util.Log;
+
+@TargetApi(Build.VERSION_CODES.JELLY_BEAN_MR1)
+public class TlsSniSocketFactory implements LayeredSocketFactory {
+	private static final String TAG = "davdroid.SNISocketFactory";
+	
+	// "insecure" means that it doesn't verify the host name
+	// we will do this ourselves so we can set up SNI before
+	SSLCertificateSocketFactory sslSocketFactory =
+			(SSLCertificateSocketFactory) SSLCertificateSocketFactory.getInsecure(0, null);
+
+	
+	// Plain TCP/IP (layer below TLS)
+
+	@Override
+	public Socket connectSocket(Socket s, String host, int port, InetAddress localAddress, int localPort, HttpParams params) throws IOException {
+		s.connect(new InetSocketAddress(host, port));
+		return s;
+	}
+
+	@Override
+	public Socket createSocket() {
+		Socket s = new Socket();
+		return s;
+	}
+
+	@Override
+	public boolean isSecure(Socket s) throws IllegalArgumentException {
+		if (s instanceof SSLSocket)
+			return ((SSLSocket)s).isConnected();
+		return false;
+	}
+
+	
+	// TLS layer
+
+	@Override
+	public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+		SSLSocket ssl = (SSLSocket)sslSocketFactory.createSocket(s, host, port, autoClose);
+
+		// set SNI before the handshake
+		if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
+			Log.i(TAG, "Setting SNI hostname");
+			sslSocketFactory.setHostname(ssl, host);
+		} else
+			Log.w(TAG, "No SNI support below Android 4.2!");
+		
+		// now do the TLS handshake
+		ssl.startHandshake();
+		SSLSession session = ssl.getSession();
+		if (session == null)
+            throw new SSLException("Cannot verify SSL socket without session");
+		
+		// verify host name (important!)
+		if (!HttpsURLConnection.getDefaultHostnameVerifier().verify(host, session))
+            throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
+		return ssl;
+	}
+
+}

src/at/bitfire/davdroid/webdav/WebDavResource.java

@@ -40,6 +40,8 @@ import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpOptions;
 import org.apache.http.client.methods.HttpPut;
 import org.apache.http.client.params.ClientPNames;
+import org.apache.http.conn.scheme.Scheme;
+import org.apache.http.conn.scheme.SchemeRegistry;
 import org.apache.http.entity.ByteArrayEntity;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.message.BasicLineParser;
@@ -102,6 +104,10 @@ public class WebDavResource {
 		client = new DefaultHttpClient();
 		client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "DAVdroid/" + Constants.APP_VERSION);
 		
+		// use our own, SNI-capable LayeredSocketFactory for https://
+	    SchemeRegistry schemeRegistry = client.getConnectionManager().getSchemeRegistry();
+	    schemeRegistry.register(new Scheme("https", new TlsSniSocketFactory(), 443));
+		
 		// allow gzip compression
 		GzipDecompressingEntity.enable(client);