All geek questions in one place

SSL certificate without a host name in it

I implemented a web service with server and client authentication using keytool. The problem is that this authentication does not work unless I include the host name in it. For instance:

keytool -genkey -alias myAlias -keyalg RSA -keypass myPassword -storepass myPassword -keystore my.keystore -dname "CN=myhost"

But I donโ€™t need this, and I donโ€™t like host or IP checking. Is there any way to avoid this?

Thanks.

+4
source share
4 answers

SSL, as part of its requirements, confirms that the CN certificate matches the host name with which you are connecting. If CN does not match, then the browser will assume that you are connecting to the wrong host and object.

There is no way around this.

+8
source

I agree with the other posters: if you use SSL, you almost certainly want to check the host name as part of the SSL security feature set.

However, depending on the client you are using, there may well be a way to solve this problem. Engineers will bypass hostname verification in test environments for debugging, prototyping, etc. If you use a Java client that connects via HttpsURLConnection, it would be as simple as adding the following to your client class:

 static { HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier(){ public boolean verify(String string,SSLSession ssls) { return true; } }); }
+3
source

The point of using SSL / TLS is that the client can be sure that it is connecting to the correct service, and not to some fictitious service that is trying to personify the real one. If (presumably) the server certificate should not contain any host identification information, the client, if the server with which he was negotiating, was correct.

In fact, you need verification by DNS address, because if you do not verify SSL, it is useless. (Or at least nowhere was as safe as it could be.)

I assume that in theory, you could try to make your client / server connection with channels protected by other means than SSL / TLS. But you will need serious security knowledge and Java encryption technology.

+2
source

Standard logic: if you do not need to protect your data, do not use SSL. If you need to protect it, you need to know what the host is connected to. Between them should not be.

However, in some internal environments, you may have enough control over your network and configuration to not worry.

If you are in the latter case, then the decision depends on the client libraries you use. If you are using an HTTP client, read the SSL configuration guide . You may find that you do not need to implement your own SecureProtocolSocketFactory and may just use EasySSLProtocolSocketFactory .

+1
source

Source: https://habr.com/ru/post/1303545/

More articles:


All Articles