SSL exception: "No subject alternative names matching IP address ..." & "No name
When you want to establish an SSL connection like this;
HttpsClient basically uses HostNameChecker first to check the hostname against the names specified in the certificate. Then, if it fails, HostNameVerifier's turn comes and it's used to verify the host name. As mentioned above, while not overridden, SUN's default behaviour is returning false for this verification. This means, if your HostNameChecker fails, you will get one of the exceptions written in the title according to your URL's hostname type.
So, what can be done to "not-fail" HostNameChecker?
HostNameChecker#match method's implementation is like below;
sun.security.util.HostNameChecker public?void?match(String?hostName,?X509Certificate?x509certificate)?throws?CertificateException?{
????if?(isIpAddress(hostName))?{
????????matchIP(hostName,?x509certificate);
????}?else?{
????????matchDNS(hostName,?x509certificate);
????}
} If the incoming hostname is IP, (by matchIP method), it will be searched in available subject alternative names and throw CertificateException("No subject alternative names matching IP address ...") if no matching ip value found.
On the other hand, if the incoming hostname is DNS, (by matchDNS method), it will be searched in available subject alternative names but, different from IP matching algorithm, DNS matching will compare the hostname with the CommonName value from certificate if available. If neither matches with the hostname, a CertificateException("No name matching ... found") will be thrown.
What we can conclude from these details is;
if you'd like to connect via using IP as hostname;your certificate should include that ip value as a subject alternative name value (of type IPAddress : key=7).if you'd like to connect via using DNS as hostname;your certificate should either include that DNS name as a subject alternative name value (of type DNS : key=2) or as a CommonName(CN) value.Hope it helps...
?
?