SSL handshake with Play having mismatch on hostnames

Question

We are using Play 2.5 + Scala and need to use SSL to connect to remote client using https.

The issue is the certificate that we got from client has CN something like api.*.*.*.net

but the actual URL we are trying to hit contains an IP Address : https://123.234.34.56/service/resource/operation...

Since the common name in the certificate and the hostname(ipAddress) in the URL do not match , we are seeing the below error.

SSLHandshakeException: No subject alternative names present

So I tried to implement HostnameVerifier as shown below in Scala but this code is not being picked up by Play or Netty

 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
        {
            public boolean verify(String hostname, SSLSession session)
            {
               // custom logic here to match hostname and IpAddress
                return true;
            }
        });

I have no idea why Play/Netty is not picking it up during runtime, but we are hitting the remote client using Play WS :

import play.api.libs.ws.WS 
WS.url(url).get()...

I am also thinking of trying the solution mentioned here : Netty SSL hostname verification support

but not sure if I need to implement a ChannelFactory as per the above link as shown here http://netty.io/3.10/xref/org/jboss/netty/example/securechat/SecureChatClientPipelineFactory.html

Also I have seen somewhere else in SO posts that :

If the host name in the certificate doesn't resolve to the address, the server is mis-configured. Nevertheless, you should be able to alter your local DNS resolution to point that name to this IP address in your /etc/hosts file (if under Linux, or its Windows equivalent

I have no idea how to achieve this programatically in Java/Scala

Any help would be much appreciated !

Thanks

Suresh

@Bruno could you please take a look at my query above. ? Thanks — SurMan, Jul 23 '17 at 07:20

score 2 · Answer 1 · answered Jul 24 '17 at 09:27

2

The "hosts" fix looks like this:

Add a line like the following to your hosts file (instructions for Windows or Linux here)
```
123.234.34.56 api.a.b.c.net
```
Now connect to the server using the hostname "api.a.b.c.net", rather than its IP address
Because of the hosts override, your machine will not do a DNS lookup for this name, but will use that IP address. However, the SSL client will be satisfied that the hostname matches the cert and the error should go away.

For the HostnameVerifier fix, you need to follow the instructions in the answer you linked to. The Netty SSL client doesn't use the static global config that you are currently using.

answered Jul 24 '17 at 09:27

Rich

15,048
2
66
119

HI @Rich, thanks for responding, I have no access to the `hosts` file. Is there a way that we can update the hosts file programatically in Java/Scala ? Also I have implemented a similar code as shown here `http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/SecureChatClientPipelineFactory.html` but netty is not picking up this code during runtime/startuo Thanks – SurMan Jul 24 '17 at 09:47
There is no way to update `hosts` from within Java/Scala, it is an O/S configuration task. – Rich Jul 24 '17 at 21:29

SSL handshake with Play having mismatch on hostnames

1 Answers1