Why does android get the wrong ssl certificate? (two domains, one server)

Question

I have two domains: foo.net and bar.com. They both have SSL certificates, and they work well in all desktop and mobile browsers. They are hosted on

Answer 1

The most likely cause for this problem is that the server uses Server Name Indication to choose which certificate to send. If the client doesn't support SNI, the server cannot choose which certificate to send during the SSL/TLS handshake (before any HTTP traffic is sent). SNI is required when you want to use multiple certificates on the same IP address and port, but not all clients support it (notoriously, IE on any version of Windows XP, and a number of mobile browsers).

You're also visibly using the Apache HTTP Client library (not HttpsURLConnection, for which there can be SNI support with some Android versions. Support for SNI in the Apache HTTP Client library is quite recent, and certainly hasn't made it into the Android stack.

You may find the workaround described in this article useful (although it seems only to work for Android 4.2+).

Another two options would be:

• to use a distinct IP address for each host (so as not to need SNI), if you're in control of server, or
• to use another HTTP Client library (e.g. HttpsURLConnection).