When using Undertow as a WebSockets client, Undertow will accept a server-side certificate that DOES NOT match the requested host name. This can be verified by connecting to wrong.host.badssl.com – the issued certificate does not match the indicated host name but Undertow (or rather the underlying SSLEngine) happily moves on.

It should be possible to indicate that Undertow shall only accept a certificate that matches the indicated host name.