有趣的是，如果请求主机是IP，则不使用CN来匹配它;相反，

Interestingly, if the request host is an IP, "CN" is not used to match it; instead,

http://tools.ietf.org /html/rfc2818#section-3.1

iPAddress subjectAltName必须出现在证书中，并且必须与IP中的IP完全匹配URI

the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"

如果您使用java的keytool，可以通过

If you use java's keytool, it can be done by

keytool -genkeypair  -ext SAN=IP:195.xx.xx.xx    ........

NullHostNameVerifier也适用于您的用例。您的客户端只信任一个证书;只要连接使用该证书，你是安全的;主机名在这里无关紧要。

NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.