IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

Mon Feb 13 20:07:51 UTC 2023

You can see the server cert here : https://pastebin.com/Eb8b9tUf

Indeed, server cert shows "localhost", but it also shows the ip address :

            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:192.168.230.138, IP
Address:127.0.0.1

By the way, the author of the IXWebSocket c++ library told me :

*This might be a high level SSL stuff, where you actually need a real
> hostname and can't use an IP.*

But on the other hand, I have a javascript websocket client  that can
connect to my wss server using the same certificate as the c++ client.

All of this is for test purposes, eventually, I will use a domain name.
But as a workaround, I thought to use a fake domain name that points to the
server IP address.  Maybe this will work?

Thank you.

Le lun. 13 févr. 2023, à 10 h 03, Mark Hack <markhack at markhack.com> a
écrit :

> I have a few ideas what the issue is. Can you start by either attaching
> the server cert or showing it in text form using the command "openssl x509
> ..."
>
> Looking at the IX code (and it was a very quick look), I suspect that only
> the CN is validated. If the server cert shows "localhost" then that is
> probably the issue.
>
>
> Regards
>
> Mark Hack
>
> On Fri, 2023-02-10 at 16:13 -0500, Pierre-Luc Boily wrote:
>
> Hello,
>
> I have a *IXWebSocket* c++ wss client connecting to a *Node.js* wss
> server(websocket npm package). Everything is fine as long as the client
> connects to `wss://localhost:8080`. Soon as I use the ip address of the
> *Node.js* wss server, I have the error "*OpenSSL failed -
> error:0A000086:SSL routines::certificate verify failed*"
>
> ## Certificate chain creation ##
> I created my own private root ca.  I used those commands to generate *root
> ca* key/certificate and *server* key/certificate:
>
>     $ openssl genpkey -aes256 -out root-ca/private/ca.private.key
> -algorithm RSA -pkeyopt rsa_keygen_bits:2048
>    $ openssl req -config root-ca/root-ca.conf -key
> root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca
> -out root-ca\certs\ca.crt
>    $ openssl genpkey -out server/private/server.private.key -algorithm RSA
> -pkeyopt rsa_keygen_bits:2048
>    $ openssl req -key server\private\server.private.key -new -sha256 -out
> server\csr\server.csr
>    $ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days
> 365 -notext -in server\csr\server.csr -out server\certs\server.crt
>
> The configuration has a `subjectAltName` for both root and server and it
> looks like this :
>
>  See config file : https://pastebin.com/kAcwkp9w
>
> The certificate chain looks valid between my *root ca* and my *server*:
>
>     $ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt
>     server\certs\server.crt: OK
>
>
> Both `ca.crt` and `server.crt` have a reference to my ip address, so I
> used the subjectAltName parameter to define it. I thought that my *root
> ca* would need it (I am not even sure that it makes sense to have a domain
> on the *root ca*), but it doesn't make any difference.
>
> *Code that is not working*
>
> *My IXWebSocket c++ client :*
>
> https://pastebin.com/tLGi3amA
>
> *Code that is working*
>
> *wss javascript client:*
>
> I also coded a javascript client (using the same npm package as my server,
> not ) and this little client can connect using the ip address!!
>
> https://pastebin.com/Huzv59gX
>
>
> *My Node.js server :*
>
> https://pastebin.com/QCYg5z1B
>
>
> *Questions : *
> 1. Any idea why my c++ client cannot connect using an ip address to the
> server, while the javascript client can? (using the same certificate chain)
> 2. If not, any idea how I could debug this?
> 3. Would it be possible that the problem is a high level SSL stuff, where
> you actually need a real hostname and can't use an IP?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230213/77f31c02/attachment-0001.htm>