Disable hostname checking for SSL connections?

Question

Hi guys, I'm using clojure-http to make the following POST:

(clojure-http.resourcefully/post "https://android.apis.google.com/c2dm/send"
  {"Authorization" (str "GoogleLogin auth=" auth-token)}
  {"registration_id" registration-id
   "data.msg" "blah"
   "collapse_key" "blah"})

And getting this exception:

java.security.cert.CertificateException: No subject alternative DNS name matching android.apis.google.com found.
[Thrown class javax.net.ssl.SSLHandshakeException]

For some weird reason, about 10% of the time I don't get the exception and the request goes through.

I believe it's an issue with Java's host name checking on SSL connections*, so my question is, how do I disable that from Clojure? (or is that a bad idea security-wise?)

Thanks, Wei

*deduced from this post and others like it: http://www.jroller.com/hasant/entry/no_subject_alternative_names_matching

Answer 1

Its not a problem with your code, its a problem with android's website.

Open this link in a modern browser- https://android.apis.google.com/. You will see that the SSL certificate belongs to *.google.com, but you are visiting a domain under *.apis.google.com. You should probably search on Android forums for a solution to this problem.

Its a bad idea to disable host name checking, you are opening up yourself to man-in-the-middle attacks. If you don't really care about security, you might as well use http, its easier than disabling host name checks.