Environment
Access to some HTTPS sites, such as Gmail, via a proxy gateway (such as mobile Cmwap) on an Android phone sometimes has the following error: "Unable to establish secure connection"-A secure connecction could not to be established.
Reason
This is a deep hidden problem, because the system protocol stack in the establishment of SSL sockets, the lack of provincial capital calls SecurityManager to resolve the host domain name to the end of the site to do some additional validation (it seems that the validation results do not affect the follow-up operation, this need further study), The DNS service to the system is invoked. However, when accessing the Internet through the Cmwap gateway, all requests are completed through a proxy server 10.0.0.172, and the client does not have a corresponding DNS list. If your mobile phone happens to have access to the Internet via WiFi or other means (such as a cmnet gateway that does not require an agent), the Linux stack will leave a list of their corresponding DNS servers, and the system will be silly to initiate requests to these DNS, and the result is a timeout failure. In particular, DNS has a retry mechanism, so it will take several 10 seconds before returning DNS to the HTTP layer fails.
At this time the HTTP layer has already completed the SSL protocol layer of the Client hello/server Hello handshake, can continue to carry out HTTP data interaction, but for the above reasons, the DNS timeout is too long, many servers for security purposes, The SSL connection is disconnected if it is found that the client does not have data interaction within 10 seconds or even less after the SSL handshake.
Solutions
The simple solution is that if you access the Internet through a proxy gateway, you do not perform DNS resolution validation-This step is not necessary.
The problem is very partial to the door, but the process of settling the profit is shallow, hurriedly jot down to prevent forget. Related documents:
Httpsconnection.java
Opensslsocketimpl.java