Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL Certificate without host name in it

Tags:

java

certificate

x509certificate

keytool

I have implemented a web service with server and client authentication using keytool. The problem is that this authentication doesn't work if I don't include the name of the host in it. For example:

keytool -genkey -alias myAlias -keyalg RSA -keypass myPassword -storepass myPassword -keystore my.keystore -dname "CN=myhost"

But I don't need and I don't like validation by host or by IP. Is there any way of avoiding it?

Thanks.

like image 204
sinuhepop Avatar asked Mar 09 '10 11:03

sinuhepop

People also ask

Can I use SSL certificate without domain name?

But can you get SSL without a domain name? Yes, you can! Instead of securing a domain, you can encrypt a public IP address. Just like with regular certificates, you have a couple of validations options (DomainValidation and Business Validation).

Does the hostname need to match the SSL certificate?

The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.

Is SSL tied to hosting or domain?

NOTE: Because SSL certificates are tied to specific domain names, you cannot simply transfer an SSL certificate you've registered with one domain to a server for a different domain name. The certificate will only work on the domain name that it was originally purchased for.

How do I find the hostname of a certificate?

The hostname is after the CN= part. So, ldap.example.edu is the hostname in this example.

2 Answers

SSL has, as part of it's requirements, validation that the certificate CN matches the hostname that you're connecting to. If the CN doesn't match, then the browser will assume that you're connecting to the wrong host and object.

There is no way around this.

like image 106
gorilla Avatar answered Sep 30 '22 14:09

gorilla

I agree with the other posters: if you are using SSL, you almost certainly want hostname verification as part of the SSL security feature set.

That said, depending on the client you are using, there may very well be a way around this issue. Engineers will circumvent hostname verification in test environments, for debugging, prototyping, etc. If you are using a Java client which connects via HttpsURLConnection, it would be as simple as adding the following to your client class:

static {
    HttpsURLConnection.setDefaultHostnameVerifier( 
        new HostnameVerifier(){
            public boolean verify(String string,SSLSession ssls) {
            return true;
        }
    });
}
like image 41
Hawkeye Parker Avatar answered Sep 30 '22 13:09

Hawkeye Parker
Sign in to Comment

Related questions

java.lang.ClassNotFoundException when running java -jar
Standards for using inner classes for GUI?
"illegal generic type of instanceof" when using instanceof on an inner class type?
GWT multi modules for separate HTML pages?
Set Table character-set/collation using Hibernate Dialect?
Groovy Superset of Java [duplicate]
velocity framework on google app engine
In java why not widen then box?
Convert hibernate HQL with collection.size to criteria query
Java: Graphics in Linux
convert very small double to a String
Jboss datasource recovering after database re-start
Problem in System.out.println statement
Jetty mysql connection-pool configuration error: javax.naming.NameNotFoundException; remaining name 'env/jdbc/---(mysql 5.0+jetty 7.0.1)
Java Swing JList
Universal Key Code (Java)
java swing background image
From Java 1.4 to Java 6: any automated tool to update legacy code?
Why is my program getting slower and slower?
How would one go about adding (minor) syntactic sugars to Java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!