Open in app

Sign in

Write

Sign in

Host name verification failed for Host

Sathya Bandara
3 min readJun 22, 2019

--

When using HTTP Requester to establish HTTPS connection to remote server, you may be encountering the following exception.

ERROR — TargetHandler I/O error: Host name verification failed for host : 172.20.5.110 javax.net.ssl.SSLException: Host name verification failed for host : <host-name> at org.apache.synapse.transport.http.conn.ClientSSLSetupHandler.verify(ClientSSLSetupHandler.java:152) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:285)

It indicates that your application is not able to establish SSL connection to remote server, due to Host name verification failure.

A host name verifier is useful when an SSL client connects to an application server on a remote host. This ensures that the host name in the URL to which the client tries to connects, matches with the host name in the digital certificate that the server sends back as a part of the SSL handshake. Host name verification is performed only by an SSL client.

For example, if you are sending an HTTPS request to external server https://www.test.com, the host name verification will perform the comparison between the following two values.

  • the host value used in the HTTP request made by the client.
  • the DNS Name in the remote sever’s certificate (CN entry in the certificate).

Host name verification helps to prevent Man in the middle attacks that can happen during an SSL connection.

Since HTTPS is based on private-public key cryptography, client uses the public key of the server to encrypt information that only the server can decrypt. In this scenario man in the middle attack can happen when there is a malicious user who may trick the client to talk to him instead of the real server, using his own public key. Since the client is unable to distinguish between the real and ‘fake’ server, he will encrypt data using the fake server’s public key and send it back. The attacker can then decrypts the sent information using his private key and forwards it to the real server.

To prevent this kind of attack, SSL uses certificates and host name verification in client side. A certificate is basically a public key with some identity information attached to it. Those certificates can be signed by certificate authorities to confirm the identity information. Therefore the client has to verify that the name in the certificate matches the server it wants to talk to, before sending sensitive data to server. In case of a normal web-browser that is the domain name displayed in the address bar. If host-name verification is not there, an attacker ‘in the middle’ could send any certificate to the client.

A certificate may contain a list of domain names for which it is valid. This is called Subject Alternate Name (SAN) in certificate terminology. Therefore as an alternative to having the CN as the the actual domain of the server, we can use SANs in the server certificate “Extensions” section to include the server’s domain name, in order to meet the purpose of host-name verification.

For self-signed certificate, you can generate the certificate using the following command.

keytool -genkey -alias server -keyalg RSA -keystore <server key store file> -ext SAN="dns:test.com,dns:foo.com,ip:127.0.0.1"
Ssl
Hostname
Verification

--

--

Sathya Bandara
Sathya Bandara

Written by Sathya Bandara

309 Followers
15 Following

A Software Engineer on a Quest for Knowledge, Eager to Learn, Share, and Lift Others Along the Way

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams