OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified

Question

I\'ve been trying for days to get this working. I\'m trying to connect to my server over https with a self signed certificate. I don\'t think there is any p

Answer 1

During cert generation the subjectAltName must be set if the uri is an ip to not fall through validation.

"In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI." RFC (mentioned by Bas in comment)

Instead of fiddeling client side with HostnameVerifier or else, reiusse the self-signed cert (which we have control over) via:

openssl req \
-newkey rsa:2048 \
-nodes \
-x509 \
-days 36500 -nodes \
-addext "subjectAltName = IP.1:1.2.3.4" \
-keyout /etc/ssl/private/nginx-selfsigned2.key \
-out /etc/ssl/certs/nginx-selfsigned2.crt

Addon, if on android one also needs to trust the cert:

the crt is pem format and can be imported into android via

    
        
            
            
        
    

Thus we verify the cert is from a trusted source And previously by hostname verification (via SAN) ensured the server we talk to presents the right cert for his ip.

more here: https://developer.android.com/training/articles/security-config https://developer.android.com/training/articles/security-ssl.html#SelfSigned