0

I am writing a distributed application that will be sold to multiple customers and hosted on premise. This application operates as a distributed system where many of the same applications communicate with each other over HTTPS as RESTful services.

Knowing I have no control over the IP address or domain name these application use I still need a default TLS certificate that ships with the app (is overridable to meet security compliance).

I can specify a wildcard name for my CN field in openssl as * but when a node tries to reach another node the cert doesn't match with the IP address it is hosted on.

Python requests library gives an error: WARNING:urllib3.connection:Certificate did not match expected hostname: 192.168.1.150.

  • I am not asking about the above error this is just to describe my problem.

Example

HostA: 192.168.1.150:5000

HostB: 192.168.1.151:5000

Cert CN: *

HostB -> HostA Doesn't work because the cert doesn't specify 192.168.1.150 as an address.

Is there a proper way to handle this? I know some routers ship with default certs but they have control over their host address.

Stephen Collins
  • 103
  • 2

1 Answers1

1

You can certainly ship a default TLS certificate. What you can't do is make it not throw security warnings. It's up to the end user to replace the certs if this is an issue for them, and it's up to the developer of the product to make that as convenient as possible.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • That is what I am starting to understand. I generated a wildcard cert for my lab's network and distributed the cert to each node. This works for my setup but wouldn't for someone else's. I've added a feature to allow the end user to change the cert and also a setting to override HTTPS with HTTP. Thank you! – Stephen Collins Jan 25 '21 at 05:09