I have implemented a web service with server and client authentication using keytool. The problem is that this authentication doesn't work if I don't include the name of the host in it. For example:
keytool -genkey -alias myAlias -keyalg RSA -keypass myPassword -storepass myPassword -keystore my.keystore -dname "CN=myhost"
But I don't need and I don't like validation by host or by IP. Is there any way of avoiding it?
Thanks.
SSL has, as part of it's requirements, validation that the certificate CN matches the hostname that you're connecting to. If the CN doesn't match, then the browser will assume that you're connecting to the wrong host and object.
There is no way around this.
The point of using SSL/TLS is so that the client can be sure that it is connecting to the right service, and not some bogus service that is trying to impersonate the real one. If (hypothetically) the server certificate were to not contain any host identifying information, the client if the server it was negotiating with was the right one.
In fact, you do need validation by DNS address, because if you don't your SSL validation is worthless. (Or at least, nowhere like as secure as it could be.)
I guess in theory you could try to do your client/server communication over channels secured by some other means than SSL/TLS. But you'd need serious expertise in Java's security and encryption technology.
The standard logic is: If you don't need to protect your data, don't use SSL. If you do need to protect it, then you need to know what host you are connecting to. There should be no inbetween.
However in some internal environments, you might have enough control of the network and config to not be worried.
If you are in the latter case, then the solution depends on the client libraries you are using. If you are using HTTP Client, then read the SSL config guide. It may be that you don't need to implement your own SecureProtocolSocketFactory and can just use EasySSLProtocolSocketFactory.