The https URL hostname does not match the Common Name (CN) on the server certificate

Question

I am getting the following error

javax.xml.ws.soap.SOAPFaultException: Marshalling Error: The https URL hostname does not match the Common Name (CN) on the server certificate.  To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.

when I try to connect and use the Web Services.

I have added the following lines in cxf.xml but it still doesn't work.

<http-conf:conduit  name="*.http-conduit">
<!--  deactivate HTTPS url hostname verification (localhost, etc)
WARNING ! disableCNcheck=true should NOT be used in production -->
<http-conf:tlsClientParameters  disableCNCheck="true" />

The cxf.xml file is placed under WEB-INF/classes/CxfService.

Kindly let me know on what would be the issue?.

Answer 1

There may be no real issue with this configuration. The host name that you use in the URL to the web service does not match the host name in the certificate, but this might be for a number of legitimate reasons, while still allowing the access to the right data.

SSL provides two kind of protections.

1. Privacy: It provides an encrypted channel over which the data passes so that nobody else can see that data
2. Source Assurance: It also provides assurance that you are connected to site that you asked to be connected to.

You can then see three levels of security:

• no protections at all
• encrypted channel so nobody can see your data
• encrypted channel, as well as assurance that you are connected to the site you expect to.

It is that latter function that you are disabling. The site provides an encrypted certificate that can be decoded to state the DNS name that was used to access the site. If the name you used, and the name in the certificate do not match, you get this warning. As you probably know, there are multiple ways to address a server, and the certificate only matches the one DNS name that the certificate is for. Perhaps you are not accessing the service with the correct name? Or possibly you have a "self-signed" service which offers the encrypted channel, but not the source assurance.

The question to ask yourself: are you worried that someone will hack the DNS system, and cause your request (by DNS name) to be routed to a server which then will serve up false data in place of the web service you expect. It certainly can happen, and I am not going to say that it never happens, but it is very rare. See more discussion of this.

That is the potential issue: someone may spoof the web service you are calling. The security experts will never recommend a compromise position, but you should assess the value of the data, the likelihood of a spoofed service, and the damage that such a spoofing would cause. If this is a significant problem, then you must use a hostname that matches the certificate, or you must get a certificate that matched the hostname that you use.