You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Bjørn Christian <bo...@hotmail.com> on 2008/02/07 17:56:35 UTC
SSLException: hostname in certificate didn't match:
!= <*.gulesider.no>
Hello!
I am using DefaultHttpClient() to construct a new client and HttpPost to
send a post request. When I connect to certain URLs I get a exception
telling me this: SSLException: hostname in certificate didn't match:
!= I tried to do some research, but I
can't find an answer. I guess it has something to do with the
HostnameVerifier and BrowserCompatHostnameVerifier.
Any help would be very appreciated.
Re: SSLException: hostname in certificate didn't match: != <*.gulesider.no>
Posted by Julius Davies <ju...@gmail.com>.
Hi, Bjørn,
HTTPClient is behaving exactly like IE6, IE7, and Firefox here. If
you tried using those browsers to connect to "https://gulesider.no",
you would get a popup window warning you against the site.
I see that "https://www.gulesider.no" is available and appears to
behave the same as the non-www site. Consider using that URL instead!
yours,
Julius
ps. Firefox and Httpclient both agree the following are all valid
with a *.gulesider.no certificate:
www.gulesider.no
a.gulesider.no
b.gulesider.no
a.b.gulesider.no
a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.z.gulesider.no
a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.gulesider.no
IE6 on the other hand only thinks the following are valid:
www.gulesider.no
a.gulesider.no
b.gulesider.no
etc...
But BOTH IE6 and Firefox, and HTTPClient for that matter, agree that
"gulesider.no" is not a valid match against a *.gulesider.no
certificate.
For more information you can check this page out:
http://wiki.cacert.org/wiki/WildcardCertificates
yours,
Julius
On Feb 7, 2008 11:15 AM, Roland Weber <os...@dubioso.net> wrote:
> Hi Bjørn,
>
> by definition, a certificate issued for *.gulesider.no is
> valid for www.gulesider.no and any other host in the domain
> .guleside.no, but not for a host called gulesider.no which
> is in domain ".no".
> If that is possible, you should contact the server with the
> full hostname, including the "www" or whatever is applicable.
> If that isn't possible, you will have to implement your own
> X509HostnameVerifier (recently renamed in trunk) and call
> SSLSocketFactory.setHostnameVerifier() to install it.
>
> hope that helps,
> Roland
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
--
yours,
Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSLException: hostname in certificate didn't match:
!= <*.gulesider.no>
Posted by Roland Weber <os...@dubioso.net>.
Hi Bjørn,
by definition, a certificate issued for *.gulesider.no is
valid for www.gulesider.no and any other host in the domain
.guleside.no, but not for a host called gulesider.no which
is in domain ".no".
If that is possible, you should contact the server with the
full hostname, including the "www" or whatever is applicable.
If that isn't possible, you will have to implement your own
X509HostnameVerifier (recently renamed in trunk) and call
SSLSocketFactory.setHostnameVerifier() to install it.
hope that helps,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org