HTTPS hostname wrong: should be <sub.domain.com>. What causes this?

Question

I am getting this 'HTTPS hostname wrong:' error when trying to connect to a server using https. My url looks something like this

https://sub.domain.com/tamnode/webapps/app/servlet.

I connect using the following code

    // Create a URLConnection object for a URL
    URL url = new URL(requestedURL);
    HttpURLConnection.setFollowRedirects(false);

    // connect
    connection = (HttpURLConnection) url.openConnection();
    connection.setDoOutput(true);
    connection.setRequestProperty("User-Agent", USER_AGENT); //$NON-NLS-1$

    OutputStreamWriter wr = new OutputStreamWriter(connection
            .getOutputStream());

but then get an error

IOException: HTTPS hostname wrong:  should be <sub.domain.com>. 
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing
    ....

This is code which has worked in the past but no longer. There have been some changes to the system architecture but I need to get more data before approaching those responsible.

What can cause this error? Can I turn off the URLSpoofing check?

Answer 1

It looks like the SSL certificate for domain.com has been given to sub.domain.com. Or, more likely, what was domain.com has been renamed to sub.domain.com without updating the SSL certificate.

Answer 2

cletus is right about the probable cause.

There is a way to turn off the spoof checking, too.

You can create an object that implements HostnameVerifier that returns true under more circumstances than 'usual'.

You would replace the default HostnameVerifier by calling setHostnameVerifier on the connection object in the code in the question.

This answer was 'inspired by': http://www.java-samples.com/showtutorial.php?tutorialid=211

I found that link with this query: http://www.google.com/search?q=https+hostname+wrong+should+be

One more note: think twice before you do this. You will create an exploitable weakness in the security between your client and server components.

Answer 3

I got this exception - java.io.IOException: HTTPS hostname wrong: should be <localhost>.

My solution is I changed my self-signed certificate and make the CN=localhost.

OR

Add your certificate domain-name cn=<domain-name> to your host file probably located at c:/windows/system32/drivers/etc/...

Answer 4

The following code resolved my problem

static {
    //for localhost testing only
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
            new javax.net.ssl.HostnameVerifier() {

        @Override
        public boolean verify(String hostname,
                javax.net.ssl.SSLSession sslSession) {
            if (hostname.equals("your_domain")) {
                return true;
            }
            return false;
        }
    });
}

Answer 5

Use host name (dns name) as Alias name.

Ex:

keytool -import -alias <google.com> -file certificate_one.cer -keystore cacerts

Answer 6

Java by default verifies that the certificate CN (Common Name) is the same as hostname in the URL. If the CN in the certificate is not the same as the host name, your web service client fails with the following exception: java.io.IOException: HTTPS hostname wrong: should be hostname as in the certificates.