如何在 Java8 上自定义 TCP/IP（非 HTTP）TLS 的主机名检查？

Question

I'm using Java SE 8.

When I connect TLS (TCP/IP) server, I'd like to control (customize) hostname checking logic. For example, accepts only if hostname is matched, or always matched without any checking. For HTTP, I can use HttpsURLConnection 's setHostnameVerifier() method.

https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/HttpsURLConnection.html#setHostnameVerifier-javax.net.ssl.HostnameVerifier-

I'd like to do the similar thing on TCP/IP not HTTP. For example MQTT(S) on TCP/IP TLS.

I've read the following sites, but I couldn't get useful information.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SettingHostnameVerifier

Is there any convenient way to do that?

edit 2017/10/24

Some comments indicate that TCP/IP doesn't treat hostname. True. I should rephrase my question.

Updated question is "how to write checking hostname function between the hostname of connect target and the hostname from server certificate?"

Connection target IP address is gotten using getByName() . https://docs.oracle.com/javase/8/docs/api/java/net/InetAddress.html#getByName-java.lang.String-

Answer 1

Get the SSLSession , either via a HandshakeCompletedListener or inline from the SSLSocket after you connect it, get the peer certificate from the session, get the subjectDN from the certificate, and check it against the hostname you thought you were connecting to. If any of that fails, close the connection.