Sample code for 30+ languages & platforms
Tcl

HTTPS Server Certificate Require Hostname Match

See more HTTP Examples

Demonstrates and explains the RequireHostnameMatch property.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

# The RequireHostnameMatch property was added in Chilkat v11.0.0
# to ensure the URL's hostname matches at least one of the server certificate SAN's (Subject Alternative Names)
# 
# In actuality, it is the SNI hostname that must match.  If the SNI hostname is not explicitly set,
# then Chilkat uses the hostname from the URL as the SNI hostname.

# Here's an example using chilkatsoft.com
# The SSL server certificate for chilkatsoft.com has 2 Subject Alternative Names:
# 
# 1) DNS Name: *.chilkatsoft.com
# 2) DNS Name: chilkatsoft.com
# 
# See Explaining the SNI Hostname in TLS

set http [new_CkHttp]

CkHttp_put_RequireHostnameMatch $http 1

# This should succeed because "www.chilkatsoft.com" matches the SAN entry "*.chilkatsoft.com"
set html [CkHttp_quickGetStr $http "https://www.chilkatsoft.com/helloWorld.html"]
puts "1) Succeeded: [CkHttp_get_LastMethodSuccess $http]"

# At the time of writing this example, the IP address for chilkatsoft.com is 3.101.18.47
# If we send the request using the IP address, it will fail because the IP address is does 
# not match any of the SAN entries in the server certificate.
set html [CkHttp_quickGetStr $http "https://3.101.18.47/helloWorld.html"]
puts "2) Succeeded: [CkHttp_get_LastMethodSuccess $http]"

# However, it will succeed if we explicitly set the SNI hostname.
CkHttp_put_SniHostname $http "www.chilkatsoft.com"
set html [CkHttp_quickGetStr $http "https://3.101.18.47/helloWorld.html"]
puts "3) Succeeded: [CkHttp_get_LastMethodSuccess $http]"

# Remove our explicit SNI hostname.
CkHttp_put_SniHostname $http ""

# Now let's try wrong.host.badssl.com
# The SSL server certificate for badssl.com has 2 Subject Alternative Names:
# 
# 1) DNS Name: *.badssl.com
# 2) DNS Name: badssl.com

# The domain wrong.host.badssl.com will fail the RequireHostnameMatch because
# the wildcarded domain SAN entry only extends 1 level deep.  
set html [CkHttp_quickGetStr $http "https://wrong.host.badssl.com/"]
puts "4) Succeeded: [CkHttp_get_LastMethodSuccess $http]"

# The expected output is:
# 1) Succeeded: True
# 2) Succeeded: False
# 3) Succeeded: True
# 4) Succeeded: False

delete_CkHttp $http