Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using ip address for common name in server certificate does not work in Android?

I've been investigating this issue and found something interesting. If I use a server keystore which stores server certificate with commomn name as real domain to establish a connection with server, it works fine, however if I use ip address instead for the common name it does not work, but just in android device self made app(not desktop browser or browser app in android device).noted i used openssl to create these two certificate/keystore. enter image description here

and it turns out this exception is host name not verified

enter image description here

but the strange thing is in browser for desktop or android device both are fine

enter image description here

After investigation I found actually we can build our own host name verifier which can add exception to host name, but how does android's default verifier work? it must be some code that skip ip address as common name and return false.

I checked the okhttp's source code found this line of code it's throwing the exception

enter image description here

but I can not find the code customized the host name verifier.

Anyone can offer me some hints about this?

Thanks~

update:: after I debug in android studio, in run time its actually OkHostnameVerifier

it checks whether host name is ip address, if it is will check all the subject alternative name in the certificate , if a match found return true vice versa.

private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) {
    for (String altName : getSubjectAltNames(certificate, ALT_IPA_NAME)) {
      if (ipAddress.equalsIgnoreCase(altName)) {
        return true;
      }
    }
    return false;
  }
like image 994
Qing Avatar asked Apr 09 '15 13:04

Qing


1 Answers

If I use a server keystore which stores server certificate with commomn name is real domain for establishing a connection with server it works fine, however if I use ip address instead for the common name it does not work,

That's how it should work. IP addresses have to be given as a subject alternative name of type IP. Unfortunately different browsers handle this in a different way and often contrary to the standard. Some accept IP in common name, others don't. Some expect the address as DNS entry in the subject alternative section instead of an IP entry. To be on the safe side you should therefore use subject alternative names of both types IP and DNS.

we can build our own host name verifier which can add exception to host name

Don't do this. If you ignore the host name then the validation is reduced to just the check of the trust chain, which means any certificate signed by a trusted CA can be used for a transparent man-in-the-middle attack against any other host. Even if you disable the name check only for IP addresses it is still possible to use any valid certificate once the user accesses a site by IP.

like image 138
Steffen Ullrich Avatar answered Oct 19 '22 23:10

Steffen Ullrich