in the implementation they say that you need to write this...
Protocol stricthttps = new Protocol( "https", new
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("hostname", 443, stricthttps);
Now this Factory implementation stops the man in the middle attack... by
verifying the hostName... TRUE passed in its constructor..
But doesnt it mean that it should also call this classes' createSocket()
method??? because that method has the method verifyHostName() which should
be called so that hostname is verified???
When SSL connections are tunnelled through a proxy, there is
first a plain HTTP connection to the proxy. That's what you've
made to work now. Subsequently, a tunnel to the target is
established, and the SSL connection with protocol "https"
is layered on top of that. You don't have to verify a hostname
for the connection to the proxy.
By implementing the above code I see that the createSocket() method of
StrictSSLProtocolSocketFactory class doesnt get called.. why is that??? or i
m missing something here????
Have a look at HttpConnection.tunnelCreated, that's where
the SSL connection is layered on top of the tunnel.