Sample code for 30+ languages & platforms
Objective-C

HTTPS Server Certificate Require Hostname Match

See more HTTP Examples

Demonstrates and explains the RequireHostnameMatch property.

Chilkat Objective-C Downloads

Objective-C
#import <CkoHttp.h>
#import <NSString.h>

// The RequireHostnameMatch property was added in Chilkat v11.0.0
// to ensure the URL's hostname matches at least one of the server certificate SAN's (Subject Alternative Names)
// 
// In actuality, it is the SNI hostname that must match.  If the SNI hostname is not explicitly set,
// then Chilkat uses the hostname from the URL as the SNI hostname.

// Here's an example using chilkatsoft.com
// The SSL server certificate for chilkatsoft.com has 2 Subject Alternative Names:
// 
// 1) DNS Name: *.chilkatsoft.com
// 2) DNS Name: chilkatsoft.com
// 
// See Explaining the SNI Hostname in TLS

CkoHttp *http = [[CkoHttp alloc] init];

http.RequireHostnameMatch = YES;

// This should succeed because "www.chilkatsoft.com" matches the SAN entry "*.chilkatsoft.com"
NSString *html = [http QuickGetStr: @"https://www.chilkatsoft.com/helloWorld.html"];
NSLog(@"%@%d",@"1) Succeeded: ",http.LastMethodSuccess);

// At the time of writing this example, the IP address for chilkatsoft.com is 3.101.18.47
// If we send the request using the IP address, it will fail because the IP address is does 
// not match any of the SAN entries in the server certificate.
html = [http QuickGetStr: @"https://3.101.18.47/helloWorld.html"];
NSLog(@"%@%d",@"2) Succeeded: ",http.LastMethodSuccess);

// However, it will succeed if we explicitly set the SNI hostname.
http.SniHostname = @"www.chilkatsoft.com";
html = [http QuickGetStr: @"https://3.101.18.47/helloWorld.html"];
NSLog(@"%@%d",@"3) Succeeded: ",http.LastMethodSuccess);

// Remove our explicit SNI hostname.
http.SniHostname = @"";

// Now let's try wrong.host.badssl.com
// The SSL server certificate for badssl.com has 2 Subject Alternative Names:
// 
// 1) DNS Name: *.badssl.com
// 2) DNS Name: badssl.com

// The domain wrong.host.badssl.com will fail the RequireHostnameMatch because
// the wildcarded domain SAN entry only extends 1 level deep.  
html = [http QuickGetStr: @"https://wrong.host.badssl.com/"];
NSLog(@"%@%d",@"4) Succeeded: ",http.LastMethodSuccess);

// The expected output is:
// 1) Succeeded: True
// 2) Succeeded: False
// 3) Succeeded: True
// 4) Succeeded: False