By default, all WSO2 products based on Carbon 4.4.6 or later versions will have hostname verification disabled. This means that hostnames (that are accessed by a particular client) will not be verified against the hostname specified in the product's SSL certificate. This hostname verification setting is disabled using the
org.wso2.ignoreHostnameVerification property in the
<PRODUCT_HOME>/bin/wso2server.sh file as shown below.
Be sure to set this property to
false when you are going into production. This setting will enable hostname verification of HTTP requests and responses in the Carbon server, and thereby avoid security issues in production environments. See the security guidelines for production for the full list of security recommendations.
Carbon 4.4.17 introduced a new property (
.hostnameVerifier) for the purpose of configuring the default hostname verification setting in a Carbon server. Therefore this possibility is available for all WSO2 products that are based on Carbon Kernel 4.4.10 or later versions. You can add this property to the product's startup script (
wso2server.sh for Linux and
wso2server.bat for Windows), which is stored in the
<PRODUCT_HOME>/bin directory and specify a value as shown below. The property will be effective during server startup.
The values you can use with this property are explained below. If none of these values are specified, the default mode will be effective:
Note that these values will behave the same as synapse hostname verification options.
- Strict: When this mode is enabled, hostnames will be strictly verified against the hostname specified in the product's SSL certificate. For example, if "*.foo.com" is specified as the hostname in the certificate, only the hostnames at the same level will be authorized by the server. That is, subdomains such as "a.b.foo.com" will not be authorized.
- AllowAll: This option turns off hostname verification for the server. Note that this is not recommended in a production setup and should only be used for demonstrations and testing.
- DefaultAndLocalhost: This option works the same as the default mode, except that the following hostnames will not be verified against the hostname in the certificate: "localhost", "localhost.localdomain", "127.0.0.1", "::1". That is, these hostnames will be allowed regardless of the server's certificate.
In addition to the above, see that the following property is either removed from the product startup script or set to
false as shown below.