SSLPeerUnverifiedException: Hostname 43.138.40.181 not verified1. Introduction
In the world of internet communication, security is of paramount importance. Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols are widely used to establish secure connections between clients and servers. These protocols provide encryption and authentication mechanisms to ensure the confidentiality and integrity of data transmission.
However, sometimes when making an SSL/TLS connection, you may encounter an SSLPeerUnverifiedException with the message "Hostname not verified". This exception indicates that the hostname of the server you are connecting to does not match the hostname in the server's SSL certificate.
In this article, we will explore the causes of this exception and provide a step-by-step guide on how to resolve it in Java programming language.
2. Understanding SSL/TLS HandshakeBefore ping into the exception itself, let's first understand the SSL/TLS handshake process, which is crucial for establishing a secure connection.
2.1 SSL/TLS Handshake FlowThe SSL/TLS handshake involves several steps between the client and the server:
flowchart TD subgraph Client A[Client Hello] --> B[Server Hello] B --> C[Certificate] C --> D[Server Key Exchange] D --> E[Certificate Request] E --> F[Server Hello Done] end subgraph Server F --> G[Client Certificate] G --> H[Client Key Exchange] H --> I[Certificate Verify] I --> J[Change Cipher Spec] J --> K[Finished] end A --> I K --> L[Change Cipher Spec] L --> M[Finished] M --> N[Application Data]
The client sends a Client Hello message to the server, indicating the highest SSL/TLS version it supports, a list of supported cipher suites, and other parameters.
The server responds with a Server Hello message, selecting the appropriate SSL/TLS version and cipher suite from the client's options.
The server sends its Certificate, which contains its public key and is used by the client to verify the server's identity.
The server may optionally send a Server Key Exchange message, which contains additional information required by the client to establish the shared secret key.
The server may request a Certificate from the client, depending on the server's requirements.
The server sends a Server Hello Done message to indicate the end of the server's handshake messages.
The client responds with a Client Certificate if requested by the server.
The client sends a Client Key Exchange message, containing the client's public key or a pre-master secret.
The client sends a Certificate Verify message to prove that it possesses the corresponding private key of the client's certificate.
The client sends a Change Cipher Spec message to inform the server that subsequent messages will be encrypted.
The client sends a Finished message, which is a hash of all the previous handshake messages to ensure the integrity of the handshake.
The server responds with a Change Cipher Spec message.
The server sends a Finished message.
Both the client and the server can now exchange Application Data securely.
SSL/TLS certificates are digital files containing information about the certificate holder, including the public key and the hostname(s) it is valid for. These certificates are issued by trusted Certificate Authorities (CAs) and are used to validate the identity of the server during the SSL/TLS handshake.
The hostname(s) in the certificate must match the hostname of the server to establish a successful SSL/TLS connection. If the hostname does not match, an SSLPeerUnverifiedException with the "Hostname not verified" message will be thrown.
3. Code ExampleNow, let's look at a code example that demonstrates an SSLPeerUnverifiedException and how to resolve it.
import javax.net.ssl.HttpsURLConnection;import java.io.IOException;import java.net.URL;public class SSLConnectionExample { public static void main(String[] args) { try { URL url = new URL(" HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); connection.connect(); // Perform operations on the connection connection.disconnect(); } catch (IOException e) { e.printStackTrace(); } }}
In this example, we are trying to establish an HTTPS connection to "example.com". However, if the SSL certificate for "example.com" does not contain a valid hostname, the SSLPeerUnverifiedException will be thrown.
4. Resolving the SSLPeerUnverifiedExceptionTo resolve the SSLPeerUnverifiedException, we need to ensure that the hostname in the SSL certificate matches the hostname we are connecting to. There are a few possible solutions depending on the scenario.
4.1 Solution 1: Verify Hostname ManuallyOne solution is to manually verify the hostname by comparing it with the Common Name (CN) or Subject Alternative Name (SAN) fields in the SSL certificate.
import javax.net.ssl.HttpsURLConnection;import