search cancel

Request failing with "hostname in certificate didn't match"


Article ID: 77122


Updated On:


CA Application Test CA Continuous Application Insight (PathFinder) Service Virtualization


Facing an issue on one environment where executing a REST call is failing with " hostname in certificate didn't match" where as the certificate has the hostname "DNS" 

Trapped Exception: hostname in certificate didn't match: <> != <> OR <>


Server Name Identification (SNI) - an Introduction

Server Name Authentication is an optional enhancement to the TLS handshake wherein the client sends the name of the server to which it is connecting in the Client Hello.

The purpose of this enhancement is to allow a single server to host name based virtual servers whilst allowing each to have its own Certificate and Key pair. Prior to SNI, individual named servers would each require a server of their own or rely on a wildcard certificate and reside under a common domain.

With SNI, a single server may host multiple SSL virtual hosts, with the server itself identifying the correct target using the date held in the Client Hello.

For example, consider the following hypothetical example: and are both hosted on the same server. Resolving their IP addresses shows them both to be located at

Performing a reverse lookup of shows that the canonical name of the host is Connection directly to confirms this to be valid

When connecting to the client sends in the Client Hello - this identifies the correct "site" for the server to use. Since the name is sent in the SSL negotiation, the name is unaffected by proxy usage.

The server is able, therefore, to return the correct certificate for the chosen site of as opposed to the canonical site of or the alternative


Diagnosis of SNI issues.

If SNI is suspected to be causing issues with connections from DevTest (or, more generally Java applications) then enabling SSL debugging will expose the characteristic signature of a connection being rejected immediately after sending the Client Hello - the collection will be closed from the server end and no Server Hello will be sent.

SNI and Java 8

There is a known issue with Java 8 supporting SNI correctly in all versions before 8u152. Versions after this should function correctly, but versions prior to this may not send SNI information when expected. 



Supported versions of DevTest.


Upgraded to Java 8 u161 for the DevTest jre, following instructions in DevTest documentation in section:

Supplying Your Own JVM

Added a Header with the Host field and a value of on the REST step.

Additional Information

Refer to KB: SSL, Java and DevTest