IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

Mark Hack markhack at markhack.com
Mon Feb 13 15:03:13 UTC 2023


I have a few ideas what the issue is. Can you start by either attaching
the server cert or showing it in text form using the command "openssl
x509 ..."
Looking at the IX code (and it was a very quick look), I suspect that
only the CN is validated. If the server cert shows "localhost" then
that is probably the issue.

Regards
Mark Hack
On Fri, 2023-02-10 at 16:13 -0500, Pierre-Luc Boily wrote:
> Hello,
> 
> I have a IXWebSocket c++ wss client connecting to a Node.js wss
> server(websocket npm package). Everything is fine as long as the
> client connects to `wss://localhost:8080`. Soon as I use the ip
> address of the Node.js wss server, I have the error "OpenSSL failed -
> error:0A000086:SSL routines::certificate verify failed"
> 
> ## Certificate chain creation ##
> I created my own private root ca.  I used those commands to generate
> root ca key/certificate and server key/certificate:
> 
>     $ openssl genpkey -aes256 -out root-ca/private/ca.private.key
> -algorithm RSA -pkeyopt rsa_keygen_bits:2048
>    $ openssl req -config root-ca/root-ca.conf -key root-
> ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca
> -out root-ca\certs\ca.crt
>    $ openssl genpkey -out server/private/server.private.key
> -algorithm RSA -pkeyopt rsa_keygen_bits:2048
>    $ openssl req -key server\private\server.private.key -new -sha256
> -out server\csr\server.csr
>    $ openssl ca -config root-ca\root-ca.conf -extensions server_cert
> -days 365 -notext -in server\csr\server.csr -out
> server\certs\server.crt
> 
> The configuration has a `subjectAltName` for both root and server and
> it looks like this :
> 
>  See config file : https://pastebin.com/kAcwkp9w
> 
> The certificate chain looks valid between my *root ca* and my
> *server*:
> 
>     $ openssl verify -CAfile root-ca\certs\ca.crt
> server\certs\server.crt
>     server\certs\server.crt: OK
> 
> 
> Both `ca.crt` and `server.crt` have a reference to my ip address, so
> I used the subjectAltName parameter to define it. I thought that my
> *root ca* would need it (I am not even sure that it makes sense to
> have a domain on the *root ca*), but it doesn't make any difference.
> 
> Code that is not working
> 
> My IXWebSocket c++ client :
> 
> https://pastebin.com/tLGi3amA
> 
> Code that is working
> 
> wss javascript client:
> 
> I also coded a javascript client (using the same npm package as my
> server, not ) and this little client can connect using the ip
> address!!
> 
> https://pastebin.com/Huzv59gX
> 
> 
> My Node.js server :
> 
> https://pastebin.com/QCYg5z1B
> 
> 
> Questions : 
> 1. Any idea why my c++ client cannot connect using an ip address to
> the server, while the javascript client can? (using the same
> certificate chain)
> 2. If not, any idea how I could debug this?
> 3. Would it be possible that the problem is a high level SSL stuff,
> where you actually need a real hostname and can't use an IP?
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230213/56aa06e2/attachment.htm>


More information about the openssl-users mailing list