Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
SSL Certificate Name Hostname Mismatch - Vulnerability Database

SSL Certificate Name Hostname Mismatch

Description

The SSL/TLS certificate presented by the server contains a Common Name (CN) or Subject Alternative Name (SAN) that does not match the hostname being accessed. This occurs when the domain name in the browser's address bar differs from the domain names listed in the certificate, indicating a potential configuration error or security risk. Modern browsers will display prominent security warnings when this mismatch is detected, preventing users from easily accessing the site.

Remediation

<p>To resolve SSL certificate hostname mismatch issues, follow these steps:</p><ol><li><b>Identify the Mismatch:</b> Compare the hostname in your URL (e.g., www.example.com) with the Common Name and Subject Alternative Names listed in the certificate. Use browser developer tools or OpenSSL to examine certificate details:<pre>openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -text</pre></li><li><b>Determine the Correct Solution:</b><ul><li>If accessing the site via an incorrect hostname (e.g., using the IP address or a non-covered subdomain), update your URL to match a name listed in the certificate</li><li>If the certificate doesn't cover the legitimate hostname, obtain a new certificate that includes all required domain names</li></ul></li><li><b>Obtain a Proper Certificate:</b> Request a new SSL/TLS certificate from your Certificate Authority that includes:<ul><li>The exact hostname users access in the Common Name field</li><li>All alternate hostnames (www, non-www, subdomains) in the Subject Alternative Names extension</li><li>Consider using a wildcard certificate (*.example.com) if you have multiple subdomains</li></ul></li><li><b>Install and Configure the Certificate:</b> Replace the existing certificate on your web server with the corrected certificate, ensuring the complete certificate chain is properly installed</li><li><b>Update Redirects:</b> Configure your web server to redirect all traffic to the canonical hostname that matches your certificate</li><li><b>Verify the Fix:</b> Test the site using multiple browsers and SSL testing tools (such as SSL Labs' SSL Server Test) to confirm the hostname mismatch is resolved</li></ol><p>Consult your web server documentation or Certificate Authority's support resources for platform-specific installation instructions.</p>

References

What Is an SSL Common Name Mismatch Error and How Do I Fix It?

Severity

Medium

Classification

CWE-295
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N