From 27de5610e860e2882229de50e7f9ae18b1a3a13c Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Fri, 6 Sep 2024 12:40:55 +0530 Subject: [PATCH] 7472-Hostname verification-Dvd-cmts-1 7472-Hostname verification-Dvd-cmts-1 #7472 --- modules/ROOT/pages/troubleshooting.adoc | 1 + .../feature/transportSecurity/examples.adoc | 20 ++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/troubleshooting.adoc b/modules/ROOT/pages/troubleshooting.adoc index acfa9e0f6..e124645d4 100644 --- a/modules/ROOT/pages/troubleshooting.adoc +++ b/modules/ROOT/pages/troubleshooting.adoc @@ -273,6 +273,7 @@ Exception thrown while trying to read configuration and update ManagedServiceFac This error occurs when a keystore element exists in the configuration without an ID field. If you use a minimal TLS configuration, set the `ID` field to `defaultKeyStore`. +[#hostverify] === You receive the CWPKI0824E message that SSL handshake failure due to hostname verification error If you try to access a URL, you might see the following message. diff --git a/modules/reference/pages/feature/transportSecurity/examples.adoc b/modules/reference/pages/feature/transportSecurity/examples.adoc index 6f68f5adc..a2e968289 100644 --- a/modules/reference/pages/feature/transportSecurity/examples.adoc +++ b/modules/reference/pages/feature/transportSecurity/examples.adoc @@ -172,11 +172,25 @@ cert_defaultKeyStore="-----BEGIN CERTIFICATE----- [#hostverify] === Hostname and IP address verification -In Open Liberty, hostname and IP address verification are enabled by default. This verification is enforced for target servers in all SSL connections through Open Liberty socket factories. However, you can specify a list of hostnames, IP addresses, or both to skip verification. +Hostname and IP address verification are enabled by default. This verification is enforced for target servers in all SSL connections through Open Liberty socket factories. However, you can specify a list of hostnames, IP addresses, or both to skip verification. + +To disable hostname verification entirely, set the `verifyHostname` attribute within the `ssl` tag to `false`. + +[source,xml] +---- + +---- + +When hostname verification is enabled, you can skip verification for hostnames or IP addresses that are specified in the `skipHostnameVerificationForHosts` attribute within the `ssl` tag. + +[source,xml] +---- + +---- The verification makes sure that the hostname or IP address in the URL matches the Subject Alternative Name (SAN) in the SSL certificate of the server. If the SAN is not found, the property makes sure that the hostname in the URL matches the Common Name (CN). If a mismatch exists, the SSL connection is rejected. -Typically, during hostname verification, when the hostname is used in the request, it checks against the DNSName entry in the SAN. If the SAN does not contain a DNSName entry, hostname verification uses the certificate owner's common name (CN). When an IP address is used in the request, hostname verification relies on the IP address information in the SAN only. +Typically, during hostname verification, when the hostname is used in the request, it checks against the `DNSName` entry in the SAN. If the SAN does not contain a `DNSName` entry, hostname verification uses the certificate owner's Common Name (CN). When an IP address is used in the request, hostname verification relies on the IP address information in the SAN only. -For more information, see xref:pages/troubleshooting.adoc#Troubleshooting_SSL[Troubleshooting SSL and TLS] +For more information, see xref:ROOT/troubleshooting.adoc#Troubleshooting_SSL[Troubleshooting SSL and TLS]