From 41db0343d946ced6ac10b2ba0f247686f4a44ff2 Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Thu, 29 Aug 2024 14:48:56 +0530 Subject: [PATCH] 7472-Hostname verification-3 7472-Hostname verification-3 #7472 --- .../feature/transportSecurity/examples.adoc | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/reference/pages/feature/transportSecurity/examples.adoc b/modules/reference/pages/feature/transportSecurity/examples.adoc index 4267ec8d5..2d049bb31 100644 --- a/modules/reference/pages/feature/transportSecurity/examples.adoc +++ b/modules/reference/pages/feature/transportSecurity/examples.adoc @@ -172,10 +172,22 @@ cert_defaultKeyStore="-----BEGIN CERTIFICATE----- [#hostverify] === Hostname verification -Open Liberty performs hostname verification on SSL certificates. If you want to disable the hostname verification functionality, the `verifyHostname` attribute within the `ssl` tag must be initialized to `false`. +In Open Liberty, hostname and IP address verification are enabled by default. This verification is enforced for target servers in all SSL connections by using the Open Liberty socket factories. However, you can specify a list of hostnames, IP addresses, or both to skip verification. + +To disable hostname verification entirely, set the `verifyHostname` attribute within the `ssl` tag to `false`. + +[source,xml] +---- + +---- + +When hostname verification is enabled (`verifyHostname="true"`), you can specify hostnames or IP addresses to be skipped for verification by using the `skipHostnameVerificationForHosts` attribute within the `ssl` tag. [source,xml] ---- - + ---- +Additionally, hostname verification for only HTTP connections can be controlled separately by using the `httpHostNameVerification` attribute within the `sslDefault` tag. If `httpHostNameVerification` attribute is set to `true` and `verifyHostname` attribute is set to `false`, hostname verification can still be enforced on HTTP connections, but not on other connections. + +