TLS: Host certificate verification failed: Hostname mismatch

Question
When I try to connect to the host, I get the error TLS: Host certificate validation failed: Hostname mismatch. What does this mean?

Answer
This error appears on OpenSSL-based systems during host certificate validation. The TLS protocol includes a step where the client (the emulator) inspects the certificate presented by the server (the host). Part of that inspection is verifying that the name in the host's certificate matches the name used to connect to the host. They do not match.

Easy, but insecure workaround
The easiest way to fix this is to disable host certificate validation. The downside to doing this is that you lose the protection of this part of the TLS protocol.

Simply add the Y prefix to the hostname.

More complex, but more secure workaround
The better way to fix this is to specify a particular name to match in the host certificate. This is much more secure, but takes a couple of steps to complete.

Step 1: Find the name in the host certificate
First, you must discover the name that the host is including in its certificate. To do this, connect to the host with host certificate validation disabled (using the Y prefix).

In x3270, select File -> x3270> prompt. In c3270, hit the Esc key to break to the c3270> prompt.

At the prompt, enter the command show tlsCertInfo. The output should include a line that begins with Subject: and includes a field that starts with CN =. What follows after the CN = is the name. For example: 3270> show tlscertinfo Public key: 2048 bit RSA Subject: C = US, ST = "South Dakota", L = Pierre, O = "Hosts R Us", OU = xyz, CN = myhost.hostsrus.com ...

Step 2: Specify that name when connecting to the host
Add the CN = name displayed above to the hostname, for example: x3270 somexternalname.legtimatebusiness.com=myhost.hostsrus.com

Be sure not not to include the Y prefix in the hostname.

This syntax also works with s3270 and pr3287.