Over a million developers have joined DZone.

TLS on Azure with Legacy Android

It turns out that legacy Androids have limited support for modern SSL/TLS features, such as SNI and subject alternative name.

· Cloud Zone

Download the Essential Cloud Buyer’s Guide to learn important factors to consider before selecting a provider as well as buying criteria to help you make the best decision for your infrastructure needs, brought to you in partnership with Internap.

2015-09-08 09_08_05-Webmail

Getting TLS configuration right nowadays can be quite tricky. Google Chrome is aggressively pushing for deprecation of old insecure standards by showing warnings or even errors on sites using deprecated https settings. Using a certificate issued merely two years ago, with the standards where common then now shows an error because the SHA-1 algorithm is not considered to be safe for the two remaining years of the lifetime of the certificate. The Google Chrome team is definitely pushing hard for moving web cryptography to safer grounds.

On the other end of the scale (no, I won’t be complaining about Windows XP, it’s not that much of a problem any more) is another Google product: Android. Even with the blazingly fast technology development, people are (IMHO rightfully) expecting a multi €100-device to last for more than a few years. That means that a lot of devices out there are still running Android 2.X. In this particular project, the target audience are not that tech-savvy. A lot of the users even have had to invest in their first smart phone, making their call-and-sms-only phones to history. With that audience, we had to support those old devices. On the other hand SSL warnings or errors in Chrome was unacceptable, so we had to find something that worked for all those platforms – and we did. Oh and by the way, the budget was really, really tight, so we had to find something that wasn’t too expensive.

The Constraints

To work both we Chrome and legacy Android, we had to find a solution that fit within the constraints set by the platform.

  • IP-based SSL, there is no working SNI (Server Name Indication) support in legacy Android.
  • Certificate issued to main name of the site, Android doesn’t look in subject alternative name field.
  • Certificate signature should use SHA256.

The Setup

screenshot_1980-01-10_0249The project is running on an Azure standard site, using the build in TLS support. The certificate is a free one fromStartSSL. When we first tried, we got stuck with certificate warnings on the legacy phones.

These are the steps we took to make it work.

  1. Set up the Azure site with IP based TLS.
  2. Made sure the DNS points to the IP address assigned for TLS. At first it used the CNAME and that didn’t work (although I think Azure might have fixed that now, the Azure DNS records looks a bit different than when we did this setup.
  3. We wanted a site name without www. When issuing a certificate at StartSSL a subdomain must be given. The certificate is then issued to that subdomain.example.com with a subject alternative name of example.com. To work around that and get a certificate for the bare domain a single . can be entered in the subdomain field.

The Cloud Zone is brought to you in partnership with Internap. Read Bare-Metal Cloud 101 to learn about bare-metal cloud and how it has emerged as a way to complement virtualized services.


Published at DZone with permission of Anders Abel, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}