# TLS证书主机名不匹配：证书的CN或SAN与请求的主机名不匹配

- **ID:** `security/tls-certificate-hostname-mismatch`
- **领域:** security
- **类别:** tls_error
- **错误码:** `TLS-1002`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

服务器提供的TLS证书的通用名称（CN）或主题备用名称（SAN）与客户端请求中使用的主机名不匹配，导致TLS握手失败。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OpenSSL 3.0 | active | — | — |
| Java 17 | active | — | — |
| Node.js 20 | active | — | — |
| Nginx 1.24 | active | — | — |

## 解决方案

1. ```
   Reissue the certificate with the correct hostname in the SAN field. For Let's Encrypt: `certbot certonly --standalone -d example.com -d www.example.com` and ensure all alternative names are included.
   ```
2. ```
   If using a reverse proxy, configure SNI (Server Name Indication) to serve the correct certificate based on the hostname. For Nginx: `server_name example.com; ssl_certificate /path/to/cert.pem;`
   ```

## 无效尝试

- **** — Disabling hostname verification entirely (e.g., setting `NODE_TLS_REJECT_UNAUTHORIZED=0`) bypasses the error but exposes the connection to man-in-the-middle attacks. (70% 失败率)
- **** — Adding the hostname to the /etc/hosts file to point to a different IP doesn't fix the certificate mismatch; the server still presents the wrong cert for that hostname. (40% 失败率)
- **** — Some try to use a self-signed certificate with the correct hostname but forget to add the CA to the trust store, causing a different error (unable to verify certificate). (30% 失败率)