0

A hostname verifier is useful when an SSL client connects to an application server on a remote host. This ensures that the hostname in the URL to which the client tries to connects matches with the hostname in the digital certificate that the server sends back as a part of the SSL handshake. Host name verification is performed only by an SSL client.

ERROR — TargetHandler I/O error: Host name verification failed for host : 72.20.5.110 
javax.net.ssl.SSLException: Host name verification failed for host : <host-name> at org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:152) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:285)

How WebClient verifies the server host name by default and how can we disable this?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Cork Kochi
  • 1,783
  • 6
  • 29
  • 45
  • 1
    Host name isn't validated against the "CN entry in the certificate". It's only validated against [the Subject Alternative Name](https://en.wikipedia.org/wiki/Subject_Alternative_Name) entries on the certificate. – Andrew Henle Jul 21 '21 at 18:04
  • @AndrewHenle From the link you have given to me" DNS names: this is usually also provided as the Common Name RDN within the Subject field of the main certificate." – Cork Kochi Jul 21 '21 at 21:04
  • 1
    And what does the content of the common name have to do with whether or not the CN is used in hostname validation? [Read the authorty](https://datatracker.ietf.org/doc/html/rfc6125#section-2.3): "... it is perfectly acceptable for the subject field to be empty, as long as the certificate contains a subject alternative name ("subjectAltName") extension that includes at least one subjectAltName entry ..." – Andrew Henle Jul 21 '21 at 22:13
  • 1
    Use of the common name for verification was [deprecated by RFC 2818 at least 21 years ago](https://datatracker.ietf.org/doc/html/rfc2818#section-3.1): "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, **it is deprecated** and Certification Authorities are encouraged to use the dNSName instead." – Andrew Henle Jul 21 '21 at 22:15
  • 2
    [RFC 5425 (along with RFC 2818 as quoted above) requires ignoring the CN if an subject alternative name DNS entry is present](https://datatracker.ietf.org/doc/html/rfc5425#section-5.2), and the [CA browser forum requirements state that certificates must have at least one DNS SAN entry](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf) so the CN is effectively irrelevant in server host name verification. If your certificates don't have proper DNS entries as subject alternative names, they ***WILL*** fail host name verification. – Andrew Henle Jul 21 '21 at 22:25

0 Answers0