Virtually not a Blog
Java based apps, SSL and ip addresses
The default HostnameVerifier, a component of java security, does not all the use of ip addresses in place of the hostname. If you’re a developer, you can override this behavior in your application. For administrators however, this can be problematic.
The error message looks like this:
Exception : java.io.IOException: HTTPS hostname wrong: should be 192.168.1.2
This can happen even if you have properly imported the certificate into the keystore on the client. Often, what adds to the confusion is that a browser will report that the hostname information is correct (example below).
Monday, August 3, 2009
The recipe for overcoming this issue is as follows:
1.) Ensure that the certificate on the server uses a hostname as the Common Name (CN=).
If you’re using keytool, to create a self signed certificate the hostname exampleHost would be specified as follows:
keytool genkeypair -alias example -keyalg RSA -keysize 2048 -dname
"CN=exampleHost, OU=Department, O=Company, L=Somewhere, S=Somestate, C=US,
EMAILADDRESS=admin@localhost" -validity 365 -storepass
password -keypass password
2.) Use this exact hostname in the URL. For example...
https://exampleHost/someService
3.) Make sure the hostname properly resolves to the ip address of the server. A quick and dirty to do this (especially with unqualified hostnames as in the example) is to place an entry in the hosts file. Example below...
192.168.1.2 exampleHost