Geek Answers Handbook

Java keytool command with IP addresses

I am trying to get the image through the https url and I am having some problems. I am creating a keystore using the Java keytool command. If I specify a common name (CN) equal to my host name, for example CN = JONMORRA, and then try to query through my host name, for example https: // JONMORRA: 8443 / , then it works fine. However, if I specify a common name as my IP address, for example CN = 192.168.56.1, and try to execute a request through my IP address, for example https://192.168.56.1:8443/ , then I get an error message

Invalid HTTPS hostname: must be <192.168.56.1>

Indicates that my hostname is incorrect, although this is what I specified in the keystore.

I would like to use ip addresses instead of host names, so I can query between Linux and Windows windows without worrying about host names.

Why is CN not accepting IP addresses and how to fix it?

thanks

+2
java ssl keystore keytool
source share
2 answers

This snippet may work for you:

import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLSession; HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String urlHostName, SSLSession session) { System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost()); return true; } }; HttpsURLConnection.setDefaultHostnameVerifier(hv);

If you try to use this code and it does not work, write what is printed for urlHostName and session.getPeerHost() .

Also, why do I need to use IP addresses rather than host names to interact with Windows and Linux mailboxes?

+4
source share

The HTTPS specification (RFC 2818) is quite understandable with respect to authentication of a server with an IP address: the certificate must contain an alternative name (IP) object record, while CN in the subject's DN will be sufficient as a backup for the host name).

Although not all clients (in particular, not all browsers) implement this check strictly, it checks the default Java name script.

Creating a certificate with an IP SAN record can be performed using OpenSSL, for example (or not available at the time of the request or answer to this question) using Java 7 keytool .

See this question for details: How are SSL certificate server names resolved / Can I add alternative names using keytool?

+1
source share

More articles:


All Articles