SSL Certificate without host name in it

I have implemented a web service with server and client authentication using keytool. The problem is that this authentication doesn't work if I don't include the name of the host in it. For example:

keytool -genkey -alias myAlias -keyalg RSA -keypass myPassword -storepass myPassword -keystore my.keystore -dname "CN=myhost"

But I don't开发者_JS百科 need and I don't like validation by host or by IP. Is there any way of avoiding it?

Thanks.

---

SSL has, as part of it's requirements, validation that the certificate CN matches the hostname that you're connecting to. If the CN doesn't match, then the browser will assume that you're connecting to the wrong host and object.

There is no way around this.

---

I agree with the other posters: if you are using SSL, you almost certainly want hostname verification as part of the SSL security feature set.

That said, depending on the client you are using, there may very well be a way around this issue. Engineers will circumvent hostname verification in test environments, for debugging, prototyping, etc. If you are using a Java client which connects via HttpsURLConnection, it would be as simple as adding the following to your client class:

static {
    HttpsURLConnection.setDefaultHostnameVerifier( 
        new HostnameVerifier(){
            public boolean verify(String string,SSLSession ssls) {
            return true;
        }
    });
}

---

The standard logic is: If you don't need to protect your data, don't use SSL. If you do need to protect it, then you need to know what host you are connecting to. There should be no inbetween.

However in some internal environments, you might have enough control of the network and config to not be worried.

If you are in the latter case, then the solution depends on the client libraries you are using. If you are using HTTP Client, then read the SSL config guide. It may be that you don't need to implement your own SecureProtocolSocketFactory and can just use EasySSLProtocolSocketFactory.