Reputation: 4003
Got 'IOException: hostname was not verified', although given hostname (IP address) matches common name
How is it possible that I get a IOException: hostname was not verified after I have successfully inserted my certificate, and use it as part of OKHttp's SSLFactory instance? I know that this is a common issue with self-signed certificates, but only if the name on the server, does not match the name on the certificate. In my case, the exception message shows me the address, and then the CN, and they DO match perfectly.
I solved the issue temporarily, by providing a super-permissive host verifier:
this.client.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
//TODO: Make this more restrictive
return true;
}
});
but it still feels weird. Can you perhaps tell me what could be causing this issue? Or, at least, what would be a more restrictive handler in your opinion? I guess, one that tries to extract the hostname from the session, and compare with the hostname param.
Update: Here is the stack trace, as requested. For privacy reasons, I could not disclose any of the data, but keep in mind that hostname IP, and the CN match 1:1.
java.io.IOException: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha1/xxxxxxxxxxxxxxxxxxxxxxxxx=
DN: xxx.xxx.xxx.xxx.xxx.xxx.xxx=#xxxxxxxxxxxxxxxxxxxxxxxxxxxxx,CN=xxx.xxx.xxx.xxx,OU=xxxxxx,O=xxxxxx,L=xxxxxx,ST=xxxxxx,C=xx
subjectAltNames: []
at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:260)
at com.squareup.okhttp.Connection.connect(Connection.java:158)
at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:174)
at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:120)
at com.squareup.okhttp.internal.http.RouteSelector.next(RouteSelector.java:131)
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:312)
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:235)
at com.squareup.okhttp.Call.getResponse(Call.java:262)
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:219)
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:192)
at com.squareup.okhttp.Call.execute(Call.java:79)
Upvotes: 3
Views: 2356
Answers (1)
Reputation: 123405
Hostname xxx.xxx.xxx.xxx not verified
It looks like you are connecting to an IP address. The matching behavior for IP differs between implementation, but the check as defined for RFC2818 (https) requires the IP address to be in the subject alternative name section (RFC2818, page 4):
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
The actual behavior differs between implementations. Some accept the IP as CN, others not. Some implement the correct behavior to require the IP as type iPAddress while others expect it as type dNSName. So your better put it as CN and additionally in the subject alternative names section as iPAdress and dNSName :(
Upvotes: 2
Related Questions
- OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
- how to solve javax.net.ssl.SSLPeerUnverifiedException: Hostname .com not verified:
- javax.net.ssl.SSLPeerUnverifiedException: Hostname xx.yy.subdomain.domain.com not verified:
- javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified, for no self-signed cert
- javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:
- Java SSLException: hostname in certificate didn't match. Veryfing wrong certificate?
- Android : java.io.IOException: Hostname was not verified
- javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.1.2 not verified
- Using ip address for common name in server certificate does not work in Android?
- Android SSL HostName Was Not Verified