HttpsUrlConnection and SSL Hostname Verification.

2009 Feb 12 at 15:28 » Tagged as :security, certification,

Ever visit a site where the SSL certificate doesn't quite match the Fully Qualified Domain Name (FQDN) of that site? Nowadays firefox will simply refuse to take you there unless you add an exception for that site. Even high profile sites like Google Adsense is effected by this.

What happens when you try to retrieve a page on such a site using an HttpsUrlConnection ? you end up with a SSLHandshakeException But what you don't mind the host name mismatch? you know that the certificate does belong to the organization that owns the particular website, you are only using SSL because you don't want anyone to sniff your username or password. What you can do then is to replace the default HostnameVerifier with one of your own: