SSL Certificate without host name in it

java certificate x509certificate keytool
10,903

Solution 1

SSL has, as part of it's requirements, validation that the certificate CN matches the hostname that you're connecting to. If the CN doesn't match, then the browser will assume that you're connecting to the wrong host and object.

There is no way around this.

Solution 2

I agree with the other posters: if you are using SSL, you almost certainly want hostname verification as part of the SSL security feature set.

That said, depending on the client you are using, there may very well be a way around this issue. Engineers will circumvent hostname verification in test environments, for debugging, prototyping, etc. If you are using a Java client which connects via HttpsURLConnection, it would be as simple as adding the following to your client class:

static {
    HttpsURLConnection.setDefaultHostnameVerifier( 
        new HostnameVerifier(){
            public boolean verify(String string,SSLSession ssls) {
            return true;
        }
    });
}

Solution 3

The standard logic is: If you don't need to protect your data, don't use SSL. If you do need to protect it, then you need to know what host you are connecting to. There should be no inbetween.

However in some internal environments, you might have enough control of the network and config to not be worried.

If you are in the latter case, then the solution depends on the client libraries you are using. If you are using HTTP Client, then read the SSL config guide. It may be that you don't need to implement your own SecureProtocolSocketFactory and can just use EasySSLProtocolSocketFactory.

Share:
10,903
sinuhepop
Author by

sinuhepop

Software developer. [email protected]

Updated on June 04, 2022

Comments

  • sinuhepop
    sinuhepop about 2 years

    I have implemented a web service with server and client authentication using keytool. The problem is that this authentication doesn't work if I don't include the name of the host in it. For example:

    keytool -genkey -alias myAlias -keyalg RSA -keypass myPassword -storepass myPassword -keystore my.keystore -dname "CN=myhost"

    But I don't need and I don't like validation by host or by IP. Is there any way of avoiding it?

    Thanks.

  • Bruno
    Bruno over 12 years
    It's not strictly an SSL/TLS requirement (it's not in the SSL/TLS specification). It is however in RFC 2818 (HTTPS) and generalised to other protocols using SSL/TLS with X.509 certificates (i.e. most frequent usage pattern) in RFC 6125 (more recent than this answer). Using the Subject Alternative Name extension is also preferred to using a CN RDN of the Subject Distinguished Name.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

java.security.cert.CertificateParsingException
java.io.IOException: Short read of DER length
generate key and certificate using keytool
Keytool create a trusted self signed certificate
Error while Importing public certificate to a keystore
keytool -genkey error: Keystore file does not exist
How to create a X509 certificate using Java?
keytool : Certificate import gives error message - Keystore was tampered with, or password was incorrect
Keytool set hostname
How to add certificate chain to keystore?