Topic
  • 7 replies
  • Latest Post - ‏2014-08-25T19:05:16Z by dgowda01
dgowda01
dgowda01
32 Posts

Pinned topic Ignore hostname verification in TDI

‏2014-08-18T17:49:36Z |

When making HTTPS connection to a webservice (the InvokeSOAPWS function), TDI throws error regarding the certificate not matching hostname. Now, the certificate presented by the web-service is added to the TDI truststore and CA trust is not an issue. It is a self-signed certificate issued to a hostname different from the app server hostname and TDI doesn't like it at all. Does anyone know how I can instruct TDI to ignore hostname verification?

  • dgowda01
    dgowda01
    32 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-18T21:18:56Z  

    I am working around the problem by adding a entry to /etc/hosts file with the CN in the certificate, but this is not ideal. Has anybody had this issue before? What did you do to tell TDI to not perform hostname verification.

  • FrankBrandt
    FrankBrandt
    17 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-19T14:31:28Z  
    • dgowda01
    • ‏2014-08-18T21:18:56Z

    I am working around the problem by adding a entry to /etc/hosts file with the CN in the certificate, but this is not ideal. Has anybody had this issue before? What did you do to tell TDI to not perform hostname verification.

    Hi,

    we had same problem and extended /etc/hosts. We did not investigate further as this was working for us and we only need to connect to 1 host.

    Best Regards,

    Frank

  • dgowda01
    dgowda01
    32 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-19T19:06:00Z  

    Hi,

    we had same problem and extended /etc/hosts. We did not investigate further as this was working for us and we only need to connect to 1 host.

    Best Regards,

    Frank

    Thanks for the response Frank. It works. But it's not the perfect solution. I am looking for a proper solution, because if there was a wild-card certificate, then we cannot work around it by adding to /etc/hosts.

  • yn2000
    yn2000
    1086 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-25T14:17:15Z  
    • dgowda01
    • ‏2014-08-19T19:06:00Z

    Thanks for the response Frank. It works. But it's not the perfect solution. I am looking for a proper solution, because if there was a wild-card certificate, then we cannot work around it by adding to /etc/hosts.

    Wait a sec. You are talking about self-signed certificate generated by one host name that is being used by other host name, right? That is a 'temporary' situation and it is solved by a 'temporary' solution, right? If you want a 'perfect' solution, don't you want to choose a 'perfect' SSL configuration with a 'perfect' CA? Because, with a 'perfect' CA that accommodate the 'wild-card', you do not need this 'temporary' solution, isn't it?

    Please try it out.
    Rgds. YN.

  • dgowda01
    dgowda01
    32 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-25T14:31:57Z  
    • yn2000
    • ‏2014-08-25T14:17:15Z

    Wait a sec. You are talking about self-signed certificate generated by one host name that is being used by other host name, right? That is a 'temporary' situation and it is solved by a 'temporary' solution, right? If you want a 'perfect' solution, don't you want to choose a 'perfect' SSL configuration with a 'perfect' CA? Because, with a 'perfect' CA that accommodate the 'wild-card', you do not need this 'temporary' solution, isn't it?

    Please try it out.
    Rgds. YN.

    Thanks @YN for bumping up the thread.

    In this case, the certificate was issued to a portal URL/hostname, which is different from the app server hosting the web service. Similar situations could be said of certs issued to load-balancer hostnames. The problem is not the CA. The CA is trusted. It is the CN/ 'Issued to' that is not matching the hostname of the server on which the webservice is running. Even if I had the perfect CA, with a wildcard cert, the question stands.

  • yn2000
    yn2000
    1086 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-25T17:53:38Z  
    • dgowda01
    • ‏2014-08-25T14:31:57Z

    Thanks @YN for bumping up the thread.

    In this case, the certificate was issued to a portal URL/hostname, which is different from the app server hosting the web service. Similar situations could be said of certs issued to load-balancer hostnames. The problem is not the CA. The CA is trusted. It is the CN/ 'Issued to' that is not matching the hostname of the server on which the webservice is running. Even if I had the perfect CA, with a wildcard cert, the question stands.

    If I have CA that is based on the domain where everybody honor it, then it has nothing to do with hostname, right?

    My reply stands. :-)

    Rgds. YN.

  • dgowda01
    dgowda01
    32 Posts

    Re: Ignore hostname verification in TDI

    ‏2014-08-25T19:05:16Z  
    • yn2000
    • ‏2014-08-25T17:53:38Z

    If I have CA that is based on the domain where everybody honor it, then it has nothing to do with hostname, right?

    My reply stands. :-)

    Rgds. YN.

    That's what you'd expect. But TDI also enforces hostname verification (by default) at least in HTTPS and it's implementations(SOAP, in my case). Hence this thread. I can't seem to figure out how to bypass it.