IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

Pierre-Luc Boily pierreluc.boily at gmail.com
Fri Feb 10 21:13:59 UTC 2023


Hello,

I have a *IXWebSocket* c++ wss client connecting to a *Node.js* wss
server(websocket npm package). Everything is fine as long as the client
connects to `wss://localhost:8080`. Soon as I use the ip address of the
*Node.js* wss server, I have the error "*OpenSSL failed -
error:0A000086:SSL routines::certificate verify failed*"

## Certificate chain creation ##
I created my own private root ca.  I used those commands to generate *root
ca* key/certificate and *server* key/certificate:

    $ openssl genpkey -aes256 -out root-ca/private/ca.private.key
-algorithm RSA -pkeyopt rsa_keygen_bits:2048
   $ openssl req -config root-ca/root-ca.conf -key
root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca
-out root-ca\certs\ca.crt
   $ openssl genpkey -out server/private/server.private.key -algorithm RSA
-pkeyopt rsa_keygen_bits:2048
   $ openssl req -key server\private\server.private.key -new -sha256 -out
server\csr\server.csr
   $ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days
365 -notext -in server\csr\server.csr -out server\certs\server.crt

The configuration has a `subjectAltName` for both root and server and it
looks like this :

 See config file : https://pastebin.com/kAcwkp9w

The certificate chain looks valid between my *root ca* and my *server*:

    $ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt
    server\certs\server.crt: OK


Both `ca.crt` and `server.crt` have a reference to my ip address, so I used
the subjectAltName parameter to define it. I thought that my *root ca*
would need it (I am not even sure that it makes sense to have a domain on
the *root ca*), but it doesn't make any difference.

*Code that is not working*

*My IXWebSocket c++ client :*

https://pastebin.com/tLGi3amA

*Code that is working*

*wss javascript client:*

I also coded a javascript client (using the same npm package as my server,
not ) and this little client can connect using the ip address!!

https://pastebin.com/Huzv59gX


*My Node.js server :*

https://pastebin.com/QCYg5z1B


*Questions : *
1. Any idea why my c++ client cannot connect using an ip address to the
server, while the javascript client can? (using the same certificate chain)
2. If not, any idea how I could debug this?
3. Would it be possible that the problem is a high level SSL stuff, where
you actually need a real hostname and can't use an IP?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230210/60cd3b5c/attachment.htm>


More information about the openssl-users mailing list