펌 : http://jafag.blogspot.com/2008/12/java-ssl-no-subject-alternative-matched.html
Java SSL No Subject Alternative Matched
When you trying to connect to a server with untrusted SSL certificate, you might encounter below mentioned exceptions:
If you’re connecting to your host by using IP address, then you must change the subject alternative value to your IP address value. Likewise if you’re connecting using DNS name, the subject alternative value must match with the DNS name.
Create Customize HostnameVerifier
Basically you just need to create your customized HostnameVerifier class like example below:
and then apply this class to your single SSL connection
or apply to all SLL connection
However this method might pose a security risk because basically we don’t verify the hostname anymore. The server may use other website’s certificate and the program will still accept it.
java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx foundor
java.security.cert.CertificateException: No subject alternative DNS name matching hostname.com found.The reason is because the certificate did not set the correct subject alternative value correctly. Two possible solution for above scenario:
- Change certificate’s subject alternative value
- Create customize HostnameVerifier
If you’re connecting to your host by using IP address, then you must change the subject alternative value to your IP address value. Likewise if you’re connecting using DNS name, the subject alternative value must match with the DNS name.
Create Customize HostnameVerifier
Basically you just need to create your customized HostnameVerifier class like example below:
private static class CustomizedHostnameVerifier implements HostnameVerifier {
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
public boolean verify(String hostname, SSLSession session) {
return true;
}
}
and then apply this class to your single SSL connection
HttpsURLConnection connection = (HttpsURLConnection) new URL("https://url").openConnection();
connection.setHostnameVerifier(new CustomizedHostNameVerifier());
connection.setHostnameVerifier(new CustomizedHostNameVerifier());
or apply to all SLL connection
HttpsURLConnection.setDefaultHostnameVerifier(new CustomizedHostnameVerifier());
However this method might pose a security risk because basically we don’t verify the hostname anymore. The server may use other website’s certificate and the program will still accept it.
