Carbon 4.4.6 introduced the
org.wso2.ignoreHostnameVerification system property, which allows you to enable hostname verification for a Carbon server. By default, all WSO2 products based on Carbon 4.4.6 will have hostname verification disabled. This setting is disabled using the
org.wso2.ignoreHostnameVerification property in the
<PRODUCT_HOME>/bin/wso2server.sh file as shown below.
Be sure to set this property to
false when you are going into production. This setting will enable hostname verification of HTTP requests and responses in the Carbon server, and thereby avoid security issues in production environments.
Enabling/disabling hostname verification (Carbon 4.4.10 onwards)
Carbon 4.4.10 introduced a new property (
.hostnameVerifier) for the purpose of enabling/disabling hostname verification in a Carbon server. Therefore this possibility is available for all WSO2 products that are based on Carbon Kernel 4.4.10 or later versions. Hostname verification can be configured using the
.hostnameVerifier property in the product startup script (
wso2server.sh for Linux and
wso2server.bat for Windows), which is stored in the
<PRODUCT_HOME>/bin directory. The value you set for this property will determine how hostname verification will work for your server. This means that the property will be effective during server startup.
You can set the following values for this property:
- Strict: A wildcard such as "*.foo.com" matches only the subdomains in the same level, for example, "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com".
- AllowAll: Turns off host name verification. Note that this is not recommended in a production setup. This should only be used for demonstrations and testing.
- DefaultAndLocalhost: Works the same as default, except for one one additional relaxation: a host of "localhost", "localhost.localdomain", "127.0.0.1", "::1" will always pass, no matter what is in the server's certificate.
If any of the above parameters are not provided, the system works according to the default configuration. The only difference between default and Strict is that a wildcard (such as "*.foo.com") with default matches all subdomains, including "a.b.foo.com".
These values will behave the same as synapse host name verification options.