I studied this problem and found something interesting. If I use a server-side keystore that stores the server certificate named commomn as a real domain to establish a connection to the server, it works fine, however, if I use the ip address instead for the common name it does not work, but only in the native Android application -devices (not in the browser browser or in the browser application on the Android device). I used openssl to create these two certificates / key stores. 
and it turns out this exception is not checked hostname
but the weird thing in a desktop browser or Android device is great
After researching, I found that we can create our own custom hostname identifier that can add an exception to the hostname, but how the default verifier for Android works. it should be some code that skips the IP address as a common name and returns false.
I checked that the source code okhttp found this line of code that throws an exception
but I cannot find the code configured by the host name verifier.
Can anyone offer me some hints of this?
Thanks ~
update :: after I am debugging in android studio, while actually executing it OkHostnameVerifier
it checks if the hostname is an ip address if it will check all the alternate name of the object in the certificate if the match returns true true the other way around.
private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) { for (String altName : getSubjectAltNames(certificate, ALT_IPA_NAME)) { if (ipAddress.equalsIgnoreCase(altName)) { return true; } } return false; }
source share