SSLSocket doesn't perform hostname verification

Question

I use SSLSocket for my android app and according to this post SSLSocket doesn't perform host name verification here

and I didn't see any exception while using IP instead of domain and everything works fine so can I use IP or any other domain for connection?

I have got the cert from letsencrypt for one domain and I wonder that I can use it for any domain or IP with SSLSocket!

SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, nulls, null);
SocketFactory sslsocketfactory = sc.getSocketFactory();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(host, 443);
sslsocket.setSoTimeout(5000);
sslsocket.startHandshake();

m4gic · Answer 1 · 2018-09-05T11:56:12.933

The answer is on your link:

Your app needs to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further, beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.

"I wonder that I can use it for any domain or IP with SSLSocket!"

No, you will not be able to do that, the cert of the connection must be in your client's truststore, and we can expect that the different domains use different certificates :)

Please see this How should I do hostname validation when using JSSE? link.

tnx but I am in android studio ! how do that ? – user4254398 Sep 05 '18 at 10:53 — user4254398, Sep 05 '18 at 10:53

SSLSocket doesn't perform hostname verification

1 Answers1