I recently noticed that my android app could no longer talk SSL directly to my Vert.x server (using a self-signed cert since it’s just for me). The client exception was:
javax.net.ssl.SSLPeerUnverifiedException: Hostname example.com not verified
It turns out, Android 9 includes a documented change that requires certs to include a subjectAltName field.
Here’s how I now create my cert:
|
1 2 3 4 5 |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=example.com' \ -reqexts SAN -extensions SAN \ -config <(cat /etc/pki/tls/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:example.com")) openssl pkcs8 -topk8 -inform PEM -outform PEM -in key.pem -out keypk8.pem -nocrypt |
And how it’s used by Vert.x:
|
1 2 3 4 5 6 7 |
vertx.createHttpServer( new HttpServerOptions() .setPort(...) .setPemKeyCertOptions(new PemKeyCertOptions().setKeyPath("keypk8.pem").setCertPath("cert.pem")) .setSsl(true) ) .requestHandler(router::accept).listen(...); |
An alternative is to use a custom HostnameVerifier on the client-side.