Android HttpClient – Hostname in Certificate Didn’t Match Error
This article addresses a common issue encountered when using the Android HttpClient library: “hostname in certificate didn’t match <example.com> != <*.example.com>”. This error signifies a mismatch between the hostname in the server’s SSL certificate and the hostname you are attempting to connect to.
Understanding the Error
When connecting to a secure HTTPS endpoint, your client (Android application) verifies the server’s identity using an SSL certificate. This certificate contains information like the server’s hostname. If the hostname in the certificate does not match the hostname you are trying to connect to, the connection is deemed insecure, resulting in the error.
Scenario:
- Certificate hostname: *.example.com
- Connection hostname: example.com
This discrepancy arises because the certificate is valid for all subdomains under “example.com” (denoted by “*”) while your connection targets the root domain.
Root Causes
1. Incorrect Configuration
- The server certificate is incorrectly configured for the intended domain.
- The client code is explicitly hardcoding a hostname that differs from the server’s certificate.
2. Mismatched Hostname
- The server is accessed via a different hostname than the one specified in the certificate.
- A proxy is being used, and the hostname in the certificate does not match the hostname being used in the proxy.
3. SSL Library Behavior
- Some SSL libraries are more strict in hostname verification compared to others.
Troubleshooting Steps
1. Verify Certificate Details
Use an online SSL checker like SSL Labs (https://www.ssllabs.com/ssltest/) to analyze the server’s SSL certificate. Check if the hostname in the certificate matches the intended connection hostname.
2. Review Client Code
- Ensure the connection hostname in your Android client code matches the hostname in the server certificate.
- Examine any use of hardcoded hostnames and ensure consistency.
3. Check Network Configuration
- If you are using a proxy, verify the hostname matches the certificate’s details.
- Check if the hostname is properly configured for the server.
4. Consider SSL Library Settings
- Investigate if your SSL library offers any options to configure hostname verification behavior.
- Ensure the SSL library version is up-to-date, as updates may address compatibility issues.
Example Code
Incorrect Configuration (Using HttpURLConnection):
URL url = new URL("https://example.com");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.connect();
Correct Configuration:
URL url = new URL("https://www.example.com"); // Updated URL
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.connect();
Conclusion
The “hostname in certificate didn’t match” error arises due to discrepancies between the hostname in the SSL certificate and the hostname being used for connection. By following the troubleshooting steps and verifying the relevant configurations, you can resolve this issue and establish a secure connection.