Java SSL library by default does hostname verification as well during certificate validation.
Remember that SSL/TLS has 2 mandates-
Remember that SSL/TLS has 2 mandates-
- Ensure that client is talking to the server which it should be talking to (IDENTITY)
- Communication is secure between client and server (SECURITY)
So IDENTITY validation is an important aspect of SSL handshake. Java provides an interface HostnameVerifier to ensure that hostname in the server certificate is correct.
There might be a situation when you want to override the hostname verification in your SSL handshake. This is handy when service doesn't have a hostname, i.e it has IP address like https://10.20.30.40:8080/customService
In this case, server certificate will not have IP address as verified host name.
To override this verification, we can return true in the custom implementation of hostname verification as shown below.
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
//HostnameVerifier hv =
// HttpsURLConnection.getDefaultHostnameVerifier();
//return hv.verify("hostname", session);
return true;
}
};
clientLibrary.setHostnameVerifier(hostnameVerifier);
If you want to see sample certificate, check out this link.
No comments:
Post a Comment