I am trying to use HTTPS
connection with self-signed certificate.
I have followed steps of creating self-signed certificate as mentioned here - Creating Self-signed certificate.
Everything works fine even in browser, it only shows me a message that my certificate is signed by unknown CA.
But I have problem with my FQDN(server name doesn't match) name in certificate because I have set incorrect name while generating certificate.
I have regenerated it and now no such error.
I need to use my server sertificate from mobile Android Client, I have found great article about this problem - Use Retrofit with a self-signed or unknown SSL certificate in Android. I have followed all steps, but unfortunately get an error (exception).
javax.net.ssl.SSLPeerUnverifiedException: Hostname 195.xx.xx.xx not verified:
certificate: sha1/qvH7lFeijE/ZXxNHI0B/M+AU/aA=
DN: 1.2.840.113549.1.9.1=#160e63726f73704078616b65702e7275,CN=195.xx.xx.xx,OU=Departament of Development,O=CROSP Solutions,L=Chernihiv,ST=Chernihiv,C=UA
subjectAltNames: []
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:124)
As you can see hostname are the same, but error is still present.
Please help to deal with this problem, I will be grateful for any help.
Thank you.
PSEUDO-SOLUTION
Of course I searched before and found HostName Verifier Solution.
I have tried it, it works. But is it OK to use this workaround, I added certificate into my app in order to read it dynamicly as in the prior example, is it still being used in this case.
Solution with OkHttp is one line. (If you followed all steps in tutorial).
okHttpClient.setHostnameVerifier(new NullHostNameVerifier());
But I still feel that it is not the best solution, please any thoughts ?
Interestingly, if the request host is an IP, "CN" is not used to match it; instead,
https://www.rfc-editor.org/rfc/rfc2818#section-3.1
If you use java's keytool, it can be done by
NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.