Skip to Content

Resolving HostnameMismatchError in Python

By: Author David Cao

Posted on Last updated:

0 Comments

Categories DevOps, Linux

The HostnameMismatchError is an exception that occurs in Python when there is a mismatch between the hostname specified in the URL you are trying to access and the hostname provided by the SSL certificate of the server you are connecting to.

This error is typically raised by the requests library or when using ssl.wrap_socket with the ssl module.

Example HostnameMismatchError Scenario

Here’s an example of when this error might occur:

  1. You are trying to connect to a server using HTTPS (which requires an SSL certificate).
  2. The URL you use in your request specifies a hostname, for example, https://www.example.com.
  3. The server provides an SSL certificate, but the hostname in the certificate is different from the one you specified in the URL, say https://www.different.com.

In this scenario, the SSL certificate does not match the hostname you intended to connect to, and Python’s SSL implementation will raise a HostnameMismatchError to prevent potentially insecure connections.

This error is important because it helps protect against man-in-the-middle (MITM) attacks. If the hostnames did not have to match, an attacker could potentially intercept your connection with a malicious server that presents a valid certificate for a different hostname.

Resolving HostnameMismatchError

To resolve a HostnameMismatchError, you should:

  • Double-check the URL you are using to ensure it is correct.
  • Verify that the server’s SSL certificate is valid and has been issued for the correct hostname by a trusted Certificate Authority (CA).
  • Ensure that your application or system is using the correct domain name and that any necessary DNS settings are properly configured.

In some cases, for development or testing purposes, you might want to bypass SSL certificate validation. However, this is not recommended for production environments as it can expose your application to security risks. If you must bypass certificate validation for testing, you can do so by setting verify=False in the requests.get call or by providing a custom SSLContext with check_hostname=False and verify_mode=ssl.CERT_NONE when wrapping the socket. Remember that this should be a temporary measure and not a permanent solution.

How to find the hostname in SSL certificate?

The following command combines two OpenSSL utilities to test SSL/TLS connections and inspect the server’s SSL certificate:

openssl s_client -servername servername -connect servername:port 2>/dev/null | openssl x509 -noout -subject

  • openssl s_client – The OpenSSL command-line utility for creating a secure socket connection to a server.
  • -servername – Option to specify the hostname used during the SSL/TLS handshake, useful for Server Name Indication (SNI).
  • -connect servername:port – Option to connect to the specified server name on the given port, usually HTTPS port (443).
  • 2>/dev/null – Redirects error messages to /dev/null, discarding them during the SSL/TLS handshake.
  • | – The pipe operator, used to pass the output of one command to another.
  • openssl x509 – The OpenSSL command-line utility for working with X.509 certificates.
  • -noout – Option to suppress the output of the certificate’s encoded data.
  • -subject – Option to display the subject of the certificate, including the issuer and subject distinguished name (DN).

Putting it all together, this command initiates an SSL/TLS connection to the specified server, ignoring any error messages, and then pipes the received certificate to the x509 utility to extract and display the certificate’s subject information.

Example:

openssl s_client -servername google.com -connect google.com:443  2>/dev/null | openssl x509 -noout  -subject

subject=CN=*.google.com

This can be useful for verifying that the server is presenting a valid certificate for the intended hostname and to check other details about the certificate, such as the issuing CA and the validity period.