Saturday, March 25, 2017

Overriding Hostname verification of Https in Java

Java SSL library by default does hostname verification as well during certificate validation.

Remember that SSL/TLS has 2 mandates-

  • Ensure that client is talking to the server which it should be talking to (IDENTITY)
  • Communication is secure between client and server (SECURITY)
So IDENTITY validation is an important aspect of SSL handshake. Java provides an interface HostnameVerifier to ensure that hostname in the server certificate is correct. 

There might be a situation when you want to override the hostname verification in your SSL handshake. This is handy when service doesn't have a hostname, i.e it has IP address like https://10.20.30.40:8080/customService

In this case, server certificate will not have IP address as verified host name. 

To override this verification, we can return true in the custom implementation of hostname verification as shown below.

HostnameVerifier hostnameVerifier = new HostnameVerifier() {
        @Override
        public boolean verify(String hostname, SSLSession session) {
            //HostnameVerifier hv =
             //       HttpsURLConnection.getDefaultHostnameVerifier();
            //return hv.verify("hostname", session);
              return true;
        }
    };

clientLibrary.setHostnameVerifier(hostnameVerifier);

If you want to see sample certificate, check out this link

No comments:

Post a Comment