0

When i try to make a request to an API, through java to the ip or the resorce https://172.17.14.16, throws me the following error: "No subject alternative names matching IP address 172.17.14.16 found", but if I deactivate the host verification it works for me, my question is if there is no problem doing that, I don't know if It can generate security problems so that a third party can exploit it

URL urlWs = new URL(url);

        

        SSLContext sc = SSLContext.getInstance("TLSv1.2");
        sc.init(null, null, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        
       
        conexion = (HttpURLConnection) urlWs.openConnection();
        this.metodo = "POST";
        this.timeout = timeout;

        init(header)

i do this,and it gives me this problem: "Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 172.17.14.16 found

",, but when i try this way it works for me:

URL urlWs = new URL(url);

        

        SSLContext sc = SSLContext.getInstance("TLSv1.2");
        sc.init(null, null, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        
        HostnameVerifier hostnameVerifier = new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                // Realizar la verificación del nombre de host aquí
                // Puedes comparar el nombre del host con el certificado del servidor
                // Devuelve true si es válido, o false si no lo es
                return false;
            }
        };
        HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
        conexion = (HttpURLConnection) urlWs.openConnection();
        this.metodo = "POST";
        this.timeout = timeout;
Xavier
  • 1
  • When you use a TLS site certificate it has an associated hostname. You aren't using that. Instead you're connecting to an IP address. Thus the certificate can't be validated. Security risks include man in the middle attacks and IP address hijacking. Best of luck! – Elliott Frisch Jun 05 '23 at 15:18
  • Not only is this insecure since (impersonation, man in the middle) but you might access the wrong server configuration. It is very common today that there are multiple "virtual hosts" at the same IP address and which one is used depends on the hostname send by the client within the TLS handshake (SNI - server name indication). – Steffen Ullrich Jun 05 '23 at 15:27
  • Then it would tell the client to update the certificate? – Xavier Jun 05 '23 at 15:49

0 Answers0