问题描述:

I have a tomcat-hibernate-hsqldb setup and I want to use SSL to secure data transfer between my application and hsqldb. However, I need to pre install a certificate which can be used at any deployment. I do not want to use a new certificate for each new deployment site. For this, if I just use a self-signed certificate issues to any random Common Name and then install the same certificate in the trust store of tomcat, then I get this exception

 java.net.UnknownHostException: Certificate Common Name[random name] does not match host name[192.168.100.10]

I need to disable hostname verification in this setup, but all the info I found on web points to the mechanism of disabling it for HttpsURLConnection.

I believe hsqldb has a custom code to do it, in the file

org.hsqldb.serverHsqlSocketFactorySecure

Here is the method, which does this:

protected void verify(String host, SSLSession session) throws Exception {

X509Certificate[] chain;

X509Certificate certificate;

Principal principal;

PublicKey publicKey;

String DN;

String CN;

int start;

int end;

String emsg;

chain = session.getPeerCertificateChain();

certificate = chain[0];

principal = certificate.getSubjectDN();

DN = String.valueOf(principal);

start = DN.indexOf("CN=");

if (start < 0) {

throw new UnknownHostException(

Error.getMessage(ErrorCode.M_SERVER_SECURE_VERIFY_1));

}

start += 3;

end = DN.indexOf(',', start);

CN = DN.substring(start, (end > -1) ? end

: DN.length());

if (CN.length() < 1) {

throw new UnknownHostException(

Error.getMessage(ErrorCode.M_SERVER_SECURE_VERIFY_2));

}

if (!CN.equalsIgnoreCase(host)) {

// TLS_HOSTNAME_MISMATCH

throw new UnknownHostException(

Error.getMessage(

ErrorCode.M_SERVER_SECURE_VERIFY_3, 0,

new Object[] {

CN, host

}));

}

}

Is there a way to somehow bypass this mechanism and disable hostname validation?

网友答案:

Asked the same question on hsqldb forums and got to know that there is no workaround to this. The only thing you could do is to comment out the code which is calling the verify method and then rebuild the jar. I am still puzzled why hsqldb didn't use the HostnameVerifier (http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/HostnameVerifier.html), which would have made it easier to write a custom Hostname Verifier.

相关阅读:
Top