4

When using the Apache HttpComponents HttpClient library (4.0.2) I'm having a problem where the certificate doesn't get validated properly. The certificate is valid for the domain name (let's call it example.com) however it's getting validated against the IP address instead:

hostname in certificate didn't match: <123.123.123.123> != <*.example.com>

My code for making the connection is:

    HttpParams httpParams = new BasicHttpParams();
    HttpConnectionParams.setConnectionTimeout(httpParams, 5000);
    HttpConnectionParams.setSoTimeout(httpParams, 5000);
    DefaultHttpClient httpClient = new DefaultHttpClient(httpParams);            
    String url = "https://www.example.com";
    HttpGet get = new HttpGet(url);
    HttpResponse httpResponse = httpClient.execute(get);
    String response = EntityUtils.toString(httpResponse.getEntity()).trim();

The certificate itself shows as valid when connecting through a web browser and is valid for the domain name I'm connecting to:

CN = *.example.com

The certificate is also added to the Java keystore (tested using regular HttpsURLConnection).

Any ideas why this code uses the IP address instead of the domain name?

Colin 't Hart
  • 7,372
  • 3
  • 28
  • 51
James Goodwin
  • 7,360
  • 5
  • 29
  • 41
  • So the domain cannot be resolved to the IP when it comes to SSL. So you can't use an IP certificate to secure a domain. Good to know. Thanks! – Rolf Aug 01 '14 at 12:38

1 Answers1

2

Appears to be a known bug with HttpClient 4.0.2 - https://issues.apache.org/jira/browse/HTTPCLIENT-996 The bug suggests any of the following:

  • Upgrade to version 4.0.3 or newer
  • Downgrade to 4.0.1
  • Use the AllowAllHostnameVerifier
creechy
  • 405
  • 2
  • 3