Thursday, September 30, 2010

HTTPS Certificate and HTTPS URL integrity check

The HTTPS specification mandates that HTTPS clients must be capable of verifying the identity of the server.

The basic idea of the URL integrity check is that the server certificate’s identity must match the server host name. This integrity check has an important impact on how you generate X.509 certificates for HTTPS: the certificate identity (usually the certificate subject DN’s common name) must match the host name on which the HTTPS server is deployed.

For example, if a server supports secure TLS connections at the following URL:

The corresponding server certificate would have the following subject DN:

C=IE,ST=Co. Dublin,L=Dublin,O=Progress,

Using the subject DN’s Common Name for the certificate identity has the disadvantage that only one host name can be specified at a time. If you deploy a certificate on a multi-homed host, however, you might find it is practical to allow the certificate to be used with any of the multi-homed host names. In this case, it is necessary to define a certificate with multiple, alternative identities, and this is only possible using the subjectAltName certificate extension.

For example, if you have a multi-homed host that supports connections to either of the following host names:

Then you can define a subjectAltName that explicitly lists both of these DNS host names. If you generate your certificates using the openssl utility, edit the relevant line of your openssl.cnf configuration file to specify the value of the subjectAltName extension, as follows:,

Here is the original article

If the URL integrity check failed, in java code, you probably will get the exception below HTTPS hostname wrong:  should be <THE_HOST_USING_HTTPS_CERTIFICATE>;
at TestSSL.doC8Authentication(
at TestSSL.main(

If you cannot change the certificate and have to use it for testing purpose, here is one alternative way to avoid integrity check

HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
con.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;

See reference

An alternative way

static {
//for localhost testing only

public boolean verify(String hostname, sslSession) {
if (hostname.equals("localhost")) {
return true;
return false;
//if you don't care host name, return true

Or you can create a certificate which CN is "localhost". (Let's say the testing server name is localhost.)


No comments:

Post a Comment