javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:

Self signed certificates are ideally for development only. You can't go live with it, because you know it's not verified, apps and browsers won't trust you without the CA's approving you.

So, this is not a 'solution' for your live app, but only to test if it works (and will work with a valid cert, if and when you get one). Because you're allowing all hostnames (or at the least, hardcoded hostnames if you restrict it to a few) and both are bad.

Do you plan on having to use a self signed cert in your live app too?

Interestingly, if the request host is an IP, "CN" is not used to match it; instead,

https://www.rfc-editor.org/rfc/rfc2818#section-3.1

the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"

If you use java's keytool, it can be done by

keytool -genkeypair  -ext SAN=IP:195.xx.xx.xx    ........

NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.

javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:

Tags:

Java

Ssl

Https

Android

Okhttp

Related

Recent Posts