If the directory/file paths specified in this guide do not exist in your WSO2 product, see Directory Structure of WSO2 Products to locate the paths applicable to your product.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

This content is currently being updated!

Hostname verification is enabled in WSO2 products by default, which means that when a hostname is being accessed by a particular client, it will be verified against the hostname specified in the product's SSL certificate.  

Carbon 4.4.10 introduced a new property (httpclient.hostnameVerifier) for the purpose of configuring the default hostname verification setting in a Carbon server.  Therefore this possibility is available for all WSO2 products that are based on Carbon Kernel 4.4.10 or later versions. You can add this property to the product's startup script (wso2server.sh for Linux and wso2server.bat for Windows), which is stored in the <PRODUCT_HOME>/bin directory and add a property value as shown below. The value you set for this property will determine how hostname verification will work for your server. The property will be effective during server startup.

-Dhttpclient.hostnameVerifier=<property_value>

The values you can use with this property are explained below. If none of these values are specified, the default mode will be effective:

  • Strict: When this mode is enabled, hostnames will be strictly verified against the hostname specified in the product's SSL certificate. For example, if "*.foo.com" is specified as the hostname in the certificate, only the hostnames at the same level will be authorized. That is, subdomains such as "a.b.foo.com" will not be authorized.
  • AllowAll: This option turns off host name verification for the server. Note that this is not recommended in a production setup and should only be used for demonstrations and testing.
  • DefaultAndLocalhost: This option works the same as the default mode, except that the following hostnames will not be verified against the hostname in the certificate:  "localhost", "localhost.localdomain", "127.0.0.1", "::1". That is, these hostnames will be allowed regardless of the server's certificate.

These values will behave the same as synapse host name verification options.

  • No labels