有趣的是，如果请求主机是 IP，CN"不是用来匹配的；相反，

Interestingly, if the request host is an IP, "CN" is not used to match it; instead,

https://www.rfc-editor.org/rfc/rfc2818#section-3.1

证书中必须存在 iPAddress subjectAltName，并且必须与 URI 中的 IP 完全匹配"

the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"

如果你使用java的keytool，可以通过

If you use java's keytool, it can be done by

keytool -genkeypair  -ext SAN=IP:195.xx.xx.xx    ........

NullHostNameVerifier 也适用于您的用例.您的客户只信任一个证书；只要连接使用该证书，您就是安全的；主机名在这里无关紧要.

NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.