Using ip address for common name in server certificate does not work in Android?

Question

I\'ve been investigating this issue and found something interesting. If I use a server keystore which stores server certificate with commomn name as real domain

Answer 1

If I use a server keystore which stores server certificate with commomn name is real domain for establishing a connection with server it works fine, however if I use ip address instead for the common name it does not work,

That's how it should work. IP addresses have to be given as a subject alternative name of type IP. Unfortunately different browsers handle this in a different way and often contrary to the standard. Some accept IP in common name, others don't. Some expect the address as DNS entry in the subject alternative section instead of an IP entry. To be on the safe side you should therefore use subject alternative names of both types IP and DNS.

we can build our own host name verifier which can add exception to host name

Don't do this. If you ignore the host name then the validation is reduced to just the check of the trust chain, which means any certificate signed by a trusted CA can be used for a transparent man-in-the-middle attack against any other host. Even if you disable the name check only for IP addresses it is still possible to use any valid certificate once the user accesses a site by IP.