HTTPS hostname verification...

Similar Messages

• "HTTPS hostname wrong" for a hostname starts with a number

  Does anyone know about why HttpsClient throws the error for a hostname starts with a number. I have no problem with other hostname but only for the hostname starts with a number. The certificate works fine with Browser. I am sure the hostname in the certificate and in the request are exactly the same.
  I know how to skip the hostname verification, but I don't want to do that for security concern.
  Can sun develpoer shed some light how to verify the hostname in HttpsClient?
  java.io.IOException: HTTPS hostname wrong: should be
  <1company.mydomain.com>
  at sun.net.www.protocol.https.HttpsClient.b(DashoA6275)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:574)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
  at java.net.URL.openStream(URL.java:960)
  Thanks
  Al8079

  I looked at the RFCs you mention, and they do seem to indicate that host/domain names cannot start with digits...however if you look at RFC 1123 closely it says:
  RFC1123 APPLICATIONS LAYER -- GENERAL October 1989
  2. GENERAL ISSUES
  This section contains general requirements that may be applicable to
  all application-layer protocols.
  2.1 Host Names and Numbers
  The syntax of a legal Internet host name was specified in RFC-952
  [DNS:4]. One aspect of host name syntax is hereby changed: the
  restriction on the first character is relaxed to allow either a
  letter or a digit. Host software MUST support this more liberal
  syntax.
  Host software MUST handle host names of up to 63 characters and
  SHOULD handle host names of up to 255 characters.

• Failed hostname verification check - even when disabled

  Hello Experts,
  I'm using WLS 923 configured as Admin Server that controls two Managed Servers.
  When i go to "Environment ---> Machines ---> Managed Machine ---> Monitoring ---> Node Manager Status
  It says:
  Status - Inactive
  failed hostname verification check. Certificate contained +v-ebpqadmz1+ but check expected +v-ebpqadmz1.dmzntqa.corp.adija.co.il+
  I've disabled verification check in:
  Servers ---> Managed Server -->SSL ---> Advanced ---> Hostname Verification = NONE
  How come hostname verification check is still being performed ?
  Does anyone knows how can i fix this ?
  Meanwhile i had to edit my hostsfile in order to work around it...
  Regards
  Adi J

  Please add the following parameter in your startup argument.
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Thanks
  Togotutor
  <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
  Edited by: togotutor on Aug 12, 2010 3:38 PM

• Nodemanager hostname verification failure

  Hi, on some of my machines I installed WL 9.1 on, registry.xml had the fully qualified hostname (this is good), others did not (this is bad). When the admin server tries to connect to the node manager on these machines, I get hostname verification failure because the certificate has the non qual hostname but is expecting fully qual. Simply editing registry.xml to the good value did not fix the issue.
  How does weblogic determine the value that goes in the certificate and in registry.xml?
  Can I force it somehow?
  Can I have it just regenerate the certificate?
  Any help would be appreciated.
  Thanks

  Matthew Sacks <> wrote:
  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager.
  [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
  [[Failed to send command: 'ping to server 'null' to NodeManager at host:
  [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
  [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
  [[check. Certificate contained qa153 but check expected 10.32.33.2.
  [[Please ensure that the NodeManager is active on the target machine].]Hi,
  - If you are using scripts:
  you can use the following options in your
  scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  - If you want to use it from the adminserver:
  Go to the adminserver in the console
  Go to 'SSL'
  Select 'Advanced'
  Set 'Hostname Verification' to 'none'
  And restart the adminserver.
  cheers,
  Bart
  Schelstraete Bart
  [email protected]
  http://www.schelstraete.org

• How to disable hostname verification on iplanet reverse proxy

  I am looking for a way to disable hostname verification of the application server url specified in teh reverse proxy setup.
  I am using the following setting in my Object definitions. It is failing due to the certificate CN is not matching the url I specified
  The error is :
  for host xx.yy.zz.ww trying to GET /uri/loginAction.do, service-http reports: HTTP7758: error sending request (SSL_ERROR_BAD_CERT_DOMAIN: Requested domain name does not match the server's certificate.)
  Route fn="set-origin-server" server="https://bbb.com:7002/" poll-timeout="20000" retries="2"
  My tomcat certificate CN has  aaa.com
  While I am using the tomcat on bbb.com.
  Is there any way to disable hostname verification on a reverproxy setup. I am unable to find any relevant documentation on this.
  The closest discussion I found was https://forums.oracle.com/thread/1943116 but it did not conclude anything.

  Found a solution from Oracle Knowledge base:
  This fixed our issue
  <Object name="reverse-proxy-/abc">
  ObjectType fn="ssl-client-config" validate-server-cert="false"
  Route fn="set-origin-server" server="https://server1.test.com:11011" server="https://server2.test.com:11011"
  </Object>

• How to disable the certificate hostname verification?

  In JSSE changes file <http://java.sun.com/products/jsse/CHANGES.txt>
  It states the following:
  "It is sometimes useful to "disable" the certificate hostname
  verification during project development. A single certificate can now be shared among many development machines so that the hostnames don't need to match. A bug was fixed in the HttpsURLConnection hostname verifier code that now allows this functionality to work."
  Any idea on how to disable it
  Thanks
  - rayed

  this is easily achieved :
  create your own class (for example 'MyHostNameVerifier' ..) as a subclass of the JSSE HostNameVerifier and overwrite the method :
  public boolean verify(String parm1, String parm2)
  to your special needs. This method implements the verifying of hostnames..
  For your HttpsURLConnection then call
  setHostnameVerifier(new MyHostNameVerifier());
  so the HttpsURLConnection will then use MyHostNameVerifier in order to verify the hostname registered in the certificate.

• Hostname Verification failed for certificate with CommonName 'gawlsdev02.ss

  Hi All,
  I want to know the meaning and the reason of this exception:
  <Jun 17, 2010 2:05:52 PM EDT> <Warning> <Security> <BEA-090504> <Certificate chain received from gawlsdev02 - 147.141.83.104 failed
  hostname verification check. Certificate contained gawlsdev02.ssga.statestr.com but check expected gawlsdev02>
  <Jun 17, 2010 2:05:52 PM EDT> <Debug> <TLS> <000000> <Hostname Verification failed for certificate with CommonName 'gawlsdev02.ssga.
  statestr.com' against hostname: gawlsdev02>
  thanks in advance.

  When Webloigic Server tries to validate the certificate, it compares te CN of the certificate with the hostname from where the request is coming from.
  If they don't match, hostname verfication fails and SSL connection is not established.
  In your case I see the CN is gawlsdev02.ssga.statestr.com whereas WLS is expecting it to be gawlsdev02.
  U can use this option to ignore host name verification
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  To know about other SSL issues, u can refer this
  http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/
  -Faisal

• Nodemanager fails hostname verification check

  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager. Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker: Failed to send command: 'ping to server 'null' to NodeManager at host: '10.32.33.2:5555' with exception [Security:090504]Certificate chain received from 10.32.33.2 - 10.32.33.2 failed hostname verification check. Certificate contained qa153 but check expected 10.32.33.2. Please ensure that the NodeManager is active on the target machine].]

  Matthew Sacks <> wrote:
  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager.
  [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
  [[Failed to send command: 'ping to server 'null' to NodeManager at host:
  [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
  [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
  [[check. Certificate contained qa153 but check expected 10.32.33.2.
  [[Please ensure that the NodeManager is active on the target machine].]Hi,
  - If you are using scripts:
  you can use the following options in your
  scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  - If you want to use it from the adminserver:
  Go to the adminserver in the console
  Go to 'SSL'
  Select 'Advanced'
  Set 'Hostname Verification' to 'none'
  And restart the adminserver.
  cheers,
  Bart
  Schelstraete Bart
  [email protected]
  http://www.schelstraete.org

• Complication if Hostname Verification Ignored enabled?

  Currently we are testing our application. The application need to
  connect to a remote system through an SSL connection. However,
  without the 'Hostname Verification Ignored' enabled, the application
  always received a UnknownHostException just until we enable the option
  above, the application can connect succesfully.
  The cert on the remote system is not a real cert yet (it will be once
  we move to production). However, we already add the CA into our
  trusted list. We are using JVM bundled with BEA WLS 6.1 SP3.
  The concern that our customer has right now is how it will affect
  production system? With this option enabled, is that meant any cert
  from any server will be accepted by the JVM/WLS as trusted?
  Currently looking at the trusted CA in the key ring, there are only 2
  company supported by default (Verisign and Thawte), is there any
  specific documentation on how to include another CA into WLS trusted
  list?
  Thank you,
  Irawan.

  I did some more research for the issue mentioned which I yet to get rid of.
  1) I wrote a REST web service which makes a call to another REST service deployed on another weblogic using HTTPs (same code as mentioned above is used). I delpoyed the war and made a http call to the first webservice, the other REST service was invoked successfully using HTTPs. So this confirmed that there is no problem with the certificates or keystore or hostname verifictaion.
  2) My actual application still throws the handshake exception as below -
  <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  So I think the problem is something else but weblogic is priniting the exception message wrong.
  The process hierarchy ( in UNIX ) is as shown below -
  bea 31914 31913 0 14:29 ? 00:00:00 /bin/sh <DOMAIN HOME>//bin/startWebLogic.sh
  bea 31989 31914 0 14:29 ? 00:01:25 /opt/bea/jdk160_24/bin/java <The weblogic start server process> started by startWebLogic.sh
  bea 32107 31989 0 14:29 ? 00:00:09 /opt/bea/jdk160_24/bin/java <One of custom process>
  bea 2038 32107 0 18:38 ? 00:00:15 /opt/bea/jdk160_24/bin/java <Another custom process which contains my java classes containing the REST client>
  The problem is there in both Weblogic 11 and 10.3 version.
  I will be grateful if someone gives any clue about the problem.

• Custom SSL Hostname Verifier - SSL Hostname Verification Failed

  Background:
  I am using a java client deployed in weblogic which connects to a 3rd party url over HTTPS.
  version: WebLogic server 10.3.0
  Issue:
  I am connecting to say www.abc.com and the site is presenting its certificate as **.ABC.com*. and I am getting Hostname verification failed.
  I am using weblogic's default hotname verifier.
  Setting hostname verification to false resolving this error, but I want to keep it for security.
  Can anybody please share some best practices to write a custom HostnameVerifier to overcome this kind of problems?
  Thanks in advance!

  An example - this validates that a cert sent to a cluster member ( such as by OSB's internals ) will be validated when the cluster uses a a load balancer address ( defined in the cluster's http tab )
  private final String QA_LB_NAME = "my_loadbalancer.net";
  private final String QA_HOST1 = "my_serverhost1.net";
  private final String QA_HOST2 = "my_serverhost2.net";
  public boolean verify(String hostname, SSLSession session) {
  try {
  Certificate cert = session.getPeerCertificates()[0];
  byte[] encoded = cert.getEncoded();
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
  X509Certificate xcert = (X509Certificate)cf.generateCertificate(bais);
  String cn = getCanonicalName(xcert.getSubjectDN().getName());
  if (cn.equals(hostname))
  return true;
  // Allow a match if the load balancer cert is presented from one of its
  // servers
  if (cn.equals(QA_LB_NAME) &&
  ((hostname.equals(QA_HOST1)) || (hostname.equals(QA_HOST2))))
  return true;
  // all other certs fail
  return false ;
  You can do something similar with your wildcard example - allow the validation if the cn is "*.abc.com" and the hostname is "www.abc.com"
  As far as best practices, I would suggest only have specific hard-coded validation entries for known certificates such as your wild card example. You want the default behavior ( of the hostname matching the CN name ) plus your particular case - and nothing else

• Hostname verification 8.53

  I've recently upgraded our demo environment to tools 8.53. This environment runs behind a proxy on a HTTPS connection (we demo the environment at clients and want the connection to be secure). So far so good, everything worked great in 8.52. You'd always get a certificate warning when opening the environment, but as long as the certificates were installed in Java, Weblogic and Security objects everything worked. There was a certificate installed on the main domain, but that certificate didn't contain the subdomain as subject alternative name.
  Now with 8.53 and the new JRE version this suddenly didn't work for the Integration broker anymore. When loading the gateway connectors the Application server would give the following error:
  "java.io.IOException: HTTPS hostname wrong:  should be <*.*.*.*>, but cert says <CN=www.hostname.com, O=City Province, L=City, ST=ProvinceBogota, C=CO>"
  I ended up requesting an addition to the current certificate, but after that was added the error remains. When opening the environment in the browser you'd no longer get an error message about the certificate from the browser itself, but that's it. I already searched Oracle support, but all the support articles basically say that the "CN=" should contain the actual URL of the PeopleSoft environment. It is also mentioned that subject alternative names in certificates are not supported. I find it hard to believe that this feature cannot be turned of in JRE. Some articles on the internet mention using a custom trustmanager or something, but I have no idea how to set this up in the JRE installation. Has anyone struggled with this before? Any experience and/or suggestions are more than welcome.

  Okay, I think I was misunderstanding the error and your configuration originally, but I wanted to get that thought of wildcard certs out there since it immediately popped in my head as a solution to any naming mismatch.
  Can you explain your setup in more detail... your at a client, demo'ing PS, and connecting back to the home office.  What cert is where, is the proxy a reverse proxy? I thought I had it figured out but then what I was thinking should not have created a cert warning at the browser.  But I've never done SSL over RPS so I might be missing something.  Plus it's the weekend now so my brain is on vacation for 2 days.
  Anyway, I'll pull the old PeopleSoft response out of the bag and say it sounds like "it's working as intended".   If you have a name mismatch you should be warned/denied access.  Perhaps it was working due to a bug.
  For what it's worth I tried putting the wrong cert on my 8.52.07 environment and got the following right away when trying to reload the connectors.
  HTTPS hostname wrong:  should be <psweb1.domain.com>, but cert says <CN=psweb2.domain.com
  Another option for now would be to drop the app to gateway connectivity back to non-ssl.  Or depending on your setup can you get a new external only DNS entry added just for your env. So say from external you hit ps.yourdomain.com which hits your inbound firewall device and sends it on in to ps.yourdomain.com.  Even if it's going through an RPS then at least names match along the way.

• How to disable hostname verification without code

  Hello.
  Is there a way to disable the hostname verification during SSL connection, ? I mean something like a system property, since i use an existing application and i've not the source to set my own custom hostname verifier.
  Thanks.
  Ephemeris Lappis

  Hi
  I faced the same problem and as I see now I'm not the only one :o)
  Did you find the way to do it, please?
  Very appreciating any inputs,
  Sincerely,
  Jabb
  null

• HTTPS hostname wrong

  Hi everybody,
  I?m developing a client webservice throught https and I can`t connect to it, the exception thrown is:
  java.rmi.RemoteException: HTTP transport error: java.io.IOException:
  HTTPS hostname wrong:  should be <wservices.fundacioncan.com>; nested exception is:
  HTTP transport error: java.io.IOException: HTTPS hostname wrong:
    should be <wservices.fundacioncan.com>This service use a basic authentication using user and password, I used the following code to set it:
  System.setProperty("javax.net.ssl.trustStore","c:\\client.keystore");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  System.setProperty("javax.protocol.handler.pkgs",
  "com.sun.net.ssl.internal.www.protocol.https");
  java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
           // Get our port interface
         stub._setProperty(javax.xml.rpc.Stub.USERNAME_PROPERTY, username);
          stub._setProperty(javax.xml.rpc.Stub.PASSWORD_PROPERTY, password);For calling this service I`m using a java class without a Tomcat server, and also, I have not
  implemented the web service. I only know that it is hosted at
  the next URL
  https://wservices.fundacioncan.com:9443 and the server certificate
  that i can get from the browser shows that the Subject is www.fundacioncan.com
  Can anybody tell me what I?m doing wrong? I have read old topics about the same but nothing works.
  Thanks in advance

  You can get problems connecting over HTTPS in IE if the name on the certificate does not match the name of the site. For example if a certificate for java.sun.com had the name www.sun.com you'd get a dialog popping up saying that the name of the certificate did not match the name of the site, but that otherwise it was ok. This seems to be the error you're getting here, but you don't get the option to proceed...
  I don't know whether there is a workaround for this, I only know from my experience developing my own web service that I had to ensure the server name matched the name on the certificate. It doesn't look like you have this luxury, so I'd suggest contacting the web service provider for more info, unless someone else has a workaround.
  Chris

• Certificate chain received from localhost 127.0.0.1 failed hostname verification check.

  Hello friends. The dns name of our server recently changed. Since that time,
  nothing except the administration node will start up. Server logs reveal the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore. Does
  it need to be removed and re added? Any other insight would be appreciated.

  "brain" <[email protected]> wrote:
  Try this if you're running version 8
  In the admin node gui.
  Click on machines
  Click on the NodeManager tab for the machine that you are interested in.
  Change hostname in listen address.
  Bounce the app server
  >
  Hello friends. The dns name of our server recently changed. Since that
  time,
  nothing except the administration node will start up. Server logs reveal
  the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname
  verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore.
  Does
  it need to be removed and re added? Any other insight would be appreciated.

• Java.io.IOException: HTTPS hostname wrong:  should be localhost

  I'm having problems verifying an SSL client using Tomcat v5.x. I create a key in a particular keystore, let's call it C:\tomcat. I start tomcat specifying this file as the keystore to use. I then connect to the server on port 8443 with Internet Explorer and save the certificate returned from the server in a file. I then import the certificate into a keystore, let's say C:\tomcat_client. In my SSL client code I am specifiying the keystore to use with a System.setProperty("javax.net.ssl.trustStore", "C://tomcat_client"); However when I try to retrieve an output stream from a HttpURLConnection I receive the above exception. Any ideas what is happening ?
  Exception : java.io.IOException: HTTPS hostname wrong: should be <localhost>
  I have tried a variety of other options including importing the certificate into jssecacerts in the lib/security directory of the jre I am using to execute the SSL client, using the same keystore file for tomcat and the SSL client, etc.

  Hi Everybody!
  I've had a lot of problems with HTTPS connection. But finally I found a solution that works for me. So here is the Servlet:
  * File name: TestServlet.java
  * Created on 2005.01.21.
  package georgie.test.servlet;
  import java.io.BufferedReader;
  import java.io.IOException;
  import java.io.InputStreamReader;
  import java.net.URL;
  import javax.net.ssl.HostnameVerifier;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.SSLSession;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  * @author Gy�rgy Nov�k
  public class TestServlet extends HttpServlet
      protected void doGet(HttpServletRequest request,
              HttpServletResponse response) throws ServletException, IOException
          try
              trustAllHttpsCertificates();
              String urlStr = request.getParameter("url");
              HttpsURLConnection.setDefaultHostnameVerifier(hv);
              URL url = new URL(urlStr == null ? "https://www.verisign.com/"
                      : urlStr);
              debug("URL READY");
              BufferedReader in = new BufferedReader(new InputStreamReader(url
                      .openStream()));
              debug("INPUT READY");
              int buff;
              while ((buff = in.read()) != -1)
              in.close();
              debug("EVERYTHING IS DONE!!!");
          catch (Exception e)
              e.printStackTrace();
      HostnameVerifier hv = new HostnameVerifier()
          public boolean verify(String urlHostName, SSLSession session)
              System.out.println("Warning: URL Host: " + urlHostName + " vs. "
                      + session.getPeerHost());
              return true;
      private void debug(String s)
          System.out.println("[DEBUG] -- TestServlet -- \n" + s);
      private static void trustAllHttpsCertificates() throws Exception
          //  Create a trust manager that does not validate certificate chains:
          javax.net.ssl.TrustManager[] trustAllCerts =
          new javax.net.ssl.TrustManager[1];
          javax.net.ssl.TrustManager tm = new miTM();
          trustAllCerts[0] = tm;
          javax.net.ssl.SSLContext sc =
          javax.net.ssl.SSLContext.getInstance("SSL");
          sc.init(null, trustAllCerts, null);
          javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
          sc.getSocketFactory());
      public static class miTM implements javax.net.ssl.TrustManager,
              javax.net.ssl.X509TrustManager
          public java.security.cert.X509Certificate[] getAcceptedIssuers()
              return null;
          public boolean isServerTrusted(
                  java.security.cert.X509Certificate[] certs)
              return true;
          public boolean isClientTrusted(
                  java.security.cert.X509Certificate[] certs)
              return true;
          public void checkServerTrusted(
                  java.security.cert.X509Certificate[] certs, String authType)
                  throws java.security.cert.CertificateException
              return;
          public void checkClientTrusted(
                  java.security.cert.X509Certificate[] certs, String authType)
                  throws java.security.cert.CertificateException
              return;
  }Wish You all the best:
  Georgie