SSL Certificate Server Name Resolution
In SSL certificates, server names are resolved primarily based on the Subject Alternative Name (SAN) field. In most cases, browsers use SANs to verify the identity of the website they are connecting to. However, Java-based applications seem to have a different behavior, relying exclusively on SANs for server name validation.
Why the Distinction?
RFC 2818 defined that browsers could use either the Common Name (CN) or SAN fields for server name verification. RFC 6125 later deprecated the use of CN and recommended the exclusive use of SANs. Java applications generally adhere to RFC 6125, while some browsers may still accept CNs for compatibility reasons.
Adding Alternative Names using Keytool
Keytool allows the addition of SANs to SSL certificates using the "-ext" option. The following commands can be used to add alternative names:
-ext san=dns:www.example.com -ext san=ip:10.0.0.1
Can I use OpenSSL instead?
Yes, OpenSSL can also be used to create SSL certificates with SANs. To do this, modify the "openssl.cnf" configuration file as follows:
[req] req_extensions = v3_req [ v3_req ] subjectAltName=IP:10.0.0.1 # or subjectAltName=DNS:www.example.com
Alternatively, set the environment variable OPENSSL_CONF to the location of the modified "openssl.cnf" file.
The above is the detailed content of How Do Java Applications and Browsers Differ in SSL Server Name Resolution?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
