By default, all WSO2 products based on Carbon 4.4.6 or later versions will have hostname verification disabled. This means that hostnames (that are accessed by a particular client) will not be verified against the hostname specified in the product's SSL certificate.
Be sure to enable hostname verification for your production environment. This is necessary to avoid security issues in production. See the full list of security recommendations for production environments.
To enable hostname verification for your product:
Open the product startup script (
wso2server.shfor Linux, or
wso2server.batfor Windows) from the
<PRODUCT_HOME>/bin/directory, and set the following property to 'false':
You can further configure the hostname verification setting by adding the following property (
.hostnameVerifier)to the product startup script.
If you are not using the latest version of your WSO2 product, you may need to get your product updated to use this additional setting.
The values you can use with this property are explained below.
Strict: When this mode is enabled, hostnames will be strictly verified against the hostname specified in the product's SSL certificate. For example, if "*.foo.com" is specified as the hostname in the certificate, only the hostnames at the same level will be authorized by the server. That is, subdomains such as "a.b.foo.com" will not be authorized.
AllowAll: This option turns off hostname verification for the server. Note that this is not recommended in a production setup and should only be used for demonstrations and testing.
DefaultAndLocalhost: This option works the same as the default mode, except that the following hostnames will not be verified against the hostname in the certificate: "localhost", "localhost.localdomain", "127.0.0.1", "::1". That is, these hostnames will be allowed regardless of the server's certificate.
Note that these values will behave the same as synapse hostname verification options.