You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by AngeloChen <an...@gmail.com> on 2011/07/18 11:44:27 UTC

ssl and host name not match

Hi,

I got a virtual host:

<Host name="www.sample.com"    appBase="sampleapps"
                        unpackWARs="true" autoDeploy="true"
                        xmlValidation="false" xmlNamespaceAware="false" >
         <Alias>sample.com</Alias>
...

for some reason, the jks in the tomcat is for sample.com, when calling this
server with httpclient, it always get:

javax.net.ssl.SSLException: hostname in certificate didn't match:
<www.sample.com> != <sample.com>

even there is an alias sample.com.

any fix on this? Thanks,

Angelo

-- 
View this message in context: http://old.nabble.com/ssl-and-host-name-not-match-tp32081887p32081887.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ssl and host name not match

Posted by AngeloChen <an...@gmail.com>.

i opted for #3 and it works, thanks.


awarnier wrote:
> 
> AngeloChen wrote:
>> Hi,
>> 
>> I got a virtual host:
>> 
>> <Host name="www.sample.com"    appBase="sampleapps"
>>                         unpackWARs="true" autoDeploy="true"
>>                         xmlValidation="false" xmlNamespaceAware="false" >
>>          <Alias>sample.com</Alias>
>> ...
>> 
>> for some reason, the jks in the tomcat is for sample.com, when calling
>> this
>> server with httpclient, it always get:
>> 
>> javax.net.ssl.SSLException: hostname in certificate didn't match:
>> <www.sample.com> != <sample.com>
>> 
>> even there is an alias sample.com.
>> 
>> any fix on this? Thanks,
>> 
> There is no "fix" for this, because it is not a problem.  The client and
> the server are 
> working the way they should :
> - the client connects to a server, thinking it is "www.sample.com"
> - the server returns a certificate for the host "sample.com"
> - the client sees that the certificate is not for the host that it
> requested, so it gives 
> an error.
> The <Alias> in your configuration is just a way for Tomcat to handle the
> request with the 
> corresponding virtual host.  But it does not change the content of the
> certificate.
> 
> There are different ways to avoid the error :
> a) have the client connect to "sample.com" instead.  Because of the Alias,
> the Tomcat 
> virtual host will be the same, and it will return a certficate for
> "sample.com", so the 
> client will be happy too.
> b) use a wildcard certificate for "*.sample.com"
> c) change the certificate to be for "www.sample.com"
> ...
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://old.nabble.com/ssl-and-host-name-not-match-tp32081887p32083029.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: ssl and host name not match

Posted by André Warnier <aw...@ice-sa.com>.

AngeloChen wrote:
> Hi,
> 
> I got a virtual host:
> 
> <Host name="www.sample.com"    appBase="sampleapps"
>                         unpackWARs="true" autoDeploy="true"
>                         xmlValidation="false" xmlNamespaceAware="false" >
>          <Alias>sample.com</Alias>
> ...
> 
> for some reason, the jks in the tomcat is for sample.com, when calling this
> server with httpclient, it always get:
> 
> javax.net.ssl.SSLException: hostname in certificate didn't match:
> <www.sample.com> != <sample.com>
> 
> even there is an alias sample.com.
> 
> any fix on this? Thanks,
> 
There is no "fix" for this, because it is not a problem.  The client and the server are 
working the way they should :
- the client connects to a server, thinking it is "www.sample.com"
- the server returns a certificate for the host "sample.com"
- the client sees that the certificate is not for the host that it requested, so it gives 
an error.
The <Alias> in your configuration is just a way for Tomcat to handle the request with the 
corresponding virtual host.  But it does not change the content of the certificate.

There are different ways to avoid the error :
a) have the client connect to "sample.com" instead.  Because of the Alias, the Tomcat 
virtual host will be the same, and it will return a certficate for "sample.com", so the 
client will be happy too.
b) use a wildcard certificate for "*.sample.com"
c) change the certificate to be for "www.sample.com"
...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org