As I mentioned in my blog on Missing images in CFDocument, in case you are using HTTPS, you must ensure that the certicate host name matches the host name in the URL. Lets say your certificate is issued to “www.mysite.com” then the request URL must have the host as “www.mysite.com”. It can not be accessed using ‘localhost’, ‘127.0.0.1′, that machine’s IP address or machine’s name.
Till JDK1.3, Sun’s SSL implementation never used to verify the host name of the certificate. Since JDK1.4, it now verifies the hostname to prevent URL spoofing (When I request for some URL, some other guy in between intercepts and sends his own certificate and I will remain under the impression that I was getting the certificate of the requested server and hence a threat).
In case you want to access the URL using localhost or IP address or using machine’s name, there is a workaround possible but that would invlove wrting some java code.HttpsURLConnection that is used to make the connection, uses an interface HostnameVerifier to verify the host name of the certificate. A default implementation is used by default. You can provide your own implementation of this interface and set it on HttpsURLConnection. That will give the control of host name verification in your hand and you can verifiy it the way you want.
Unfortunately, this interface and HttpsURLConnection are present in both javax.net.ssl and com.sun.net.ssl package. So depending on which SSL packages are being used, you will have to implement appropriate interface and you will have to set this on appropriate HttpsURLConnection. To be sure, let your implementation class implement both the interface and set it on both the HttpsURLConnection by calling the static method
setDefaultHostnameVerifier(HostnameVerifier)
A simplistic implementation which disables any host name verification could be like
class MyHostnameVerifier implements com.sun.net.ssl.HostnameVerifier, javax.net.ssl.HostnameVerifier{ public boolean verify(String urlHostName, String certHostName){ return true; }
public boolean verify(String urlHost, SSLSession sslSession){ return true; } }
set this verifier to both HttpsURLConnection at appropriate place.
MyHostnameVerifier verifier = new MyHostnameVerifier(); javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(verifier); com.sun.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(verifier);
#1 by Andy Allan on November 24th, 2005
| Quote
Excellent posts Rupesh! Keep them coming.
#2 by Bien on July 11th, 2007
| Quote
Using com.sun.net.ssl.HttpsURLConnection instead of javax.net.ssl.HttpsURLConnection did the trick for me. Thanks a lot!
#3 by Marco Antonio C Santos on May 27th, 2010
| Quote
Hi Rupesh… how to say to CF 8 to ignore host name validation using setDefaultHostnameVerifier.
Cheers
#4 by Tony T. on November 14th, 2010
| Quote
Hi Rupesh,
I have a situation that is virtually identical to the one you described above. I’m trying to access a web service via HTTPS but the host name does not match the certificate name. I could use some advice on how to actually implement your code.
I took your code for a simple HostNameVerifier class, compiled it and saved it in the appropriate directory on my server. The custom class is called MyHostNameVerifier. I then implemented the following code:
I then get the error message “test is undefined.”
Any advise would be greatly appreciated. Thanks in advance.
#5 by Rupesh Kumar on November 15th, 2010
| Quote
Hi Tony, I cant see the code that you posted. Can you post that once again?
#6 by Tony T. on November 17th, 2010
| Quote
HI Rupesh,
Here’s the code that got dropped from my last post:
Error: Test is undefined.
Thanks again for the help.
#7 by Tony T. on November 17th, 2010
| Quote
It looks like the code is getting stripped out. Here’s a version of the code without the cfset tags and the pound signs:
verifier= CreateObject(”java”,”MyHostnameVerifier”)
HttpsURLConnection = CreateObject(”java”, “javax.net.ssl.HttpsURLConnection”)t test=HttpsURLConnection.setDefaultHosnameVerifier(veriifer)
cfdump var=”test”
Error: Test is undefined.
#8 by Rupesh Kumar on November 19th, 2010
| Quote
@Tony,
If you see the signature of setDefaultHosnameVerifier(), it returns void. So, the method does not return anything and thus if you assign the result to test, it will of course be undefined.
#9 by Tony T. on November 19th, 2010
| Quote
Rupesh,
OK, I see how test would be undefined. But the real question is am I correctly implementing the custom hostnameVerifier? I followed the steps above, minus the cfdump and made a call to a secure web service but I still received an error that said the host name did not match the certificate name. Any thoughts?
Thanks.