25

I am getting this 'HTTPS hostname wrong:' error when trying to connect to a server using https. My url looks something like this

https://sub.domain.com/tamnode/webapps/app/servlet.

I connect using the following code

    // Create a URLConnection object for a URL
    URL url = new URL(requestedURL);
    HttpURLConnection.setFollowRedirects(false);

    // connect
    connection = (HttpURLConnection) url.openConnection();
    connection.setDoOutput(true);
    connection.setRequestProperty("User-Agent", USER_AGENT); //$NON-NLS-1$

    OutputStreamWriter wr = new OutputStreamWriter(connection
            .getOutputStream());

but then get an error 

IOException: HTTPS hostname wrong:  should be <sub.domain.com>. 
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing
    ....

This is code which has worked in the past but no longer. There have been some changes to the system architecture but I need to get more data before approaching those responsible.

What can cause this error? Can I turn off the URLSpoofing check?

paul
  • 13,312
  • 23
  • 81
  • 144

7 Answers7

23

It looks like the SSL certificate for domain.com has been given to sub.domain.com. Or, more likely, what was domain.com has been renamed to sub.domain.com without updating the SSL certificate.

cletus
  • 616,129
  • 168
  • 910
  • 942
13

cletus is right about the probable cause.

There is a way to turn off the spoof checking, too.

You can create an object that implements HostnameVerifier that returns true under more circumstances than 'usual'.

You would replace the default HostnameVerifier by calling setHostnameVerifier on the connection object in the code in the question.

This answer was 'inspired by': http://www.java-samples.com/showtutorial.php?tutorialid=211

I found that link with this query: http://www.google.com/search?q=https+hostname+wrong+should+be

One more note: think twice before you do this. You will create an exploitable weakness in the security between your client and server components.

Community
  • 1
  • 1
vkraemer
  • 9,864
  • 2
  • 30
  • 44
9

I got this exception - java.io.IOException: HTTPS hostname wrong: should be <localhost>.

My solution is I changed my self-signed certificate and make the CN=localhost.

OR

Add your certificate domain-name cn=<domain-name> to your host file probably located at c:/windows/system32/drivers/etc/...

Muhammad Imran Tariq
  • 22,654
  • 47
  • 125
  • 190
8

The following code resolved my problem

static {
    //for localhost testing only
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
            new javax.net.ssl.HostnameVerifier() {

        @Override
        public boolean verify(String hostname,
                javax.net.ssl.SSLSession sslSession) {
            if (hostname.equals("your_domain")) {
                return true;
            }
            return false;
        }
    });
}
svarog
  • 9,477
  • 4
  • 61
  • 77
Jure Males
  • 97
  • 1
  • 3
  • You should not write code 'for testing only'. Inevitably it leaks into production and compromises the security of the system. – user207421 Feb 25 '18 at 22:25
  • See also https://stackoverflow.com/questions/37724901/disable-sslhandshakeexception-for-a-single-connection. I needed to support this for a library that needed to make outbound connections to localhost where cert used did not match the localhost name. So the code used a HostnameVerifier for a specific call, and only applied code when a flag -DdevelopmentMode=true is exists. – PatS Jan 05 '19 at 01:01
0

Java by default verifies that the certificate CN (Common Name) is the same as hostname in the URL. If the CN in the certificate is not the same as the host name, your web service client fails with the following exception: java.io.IOException: HTTPS hostname wrong: should be hostname as in the certificates.

shanmugam
  • 1
0

This is just an alternative of 'svarog' post

static {

    HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> hostname.equals("domain name"));
}
jegadeesh
  • 109
  • 2
  • 8
-1

Use host name (dns name) as Alias name.

Ex:

keytool -import -alias <google.com> -file certificate_one.cer -keystore cacerts
jaykumarark
  • 2,359
  • 6
  • 35
  • 53
user11353764
  • 1