IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

Pierre-Luc Boily pierreluc.boily at gmail.com
Wed Feb 15 14:45:01 UTC 2023 

Hello,

Viktor, your help is much appreciated,

Regarding what you said about the library :

The right answer is: don't use this library.


There are a couple of alternatives for secured websocket clients.  The most
popular is boost::beast, based on boost::asio.  But honestly, the interface
is so convoluted and hard to use, that this is one of the reasons I picked
IXWebSocket instead.

I guess that you also tell me to use another library because if this simple
thing (checking the ip address) is not well implemented, we cannot trust
the rest of the implementation!

But from there, I`ll try to stick to IXWebSocket a little bit more by:
1. Fixing the ip address problem with the information you gave me.
(Moreover, it helps to understand OpenSSL, it can`t do any harm... I only
have 2 months of experience, but I am getting (*a little bit*) better :)  )
2. (More a question here).  By monitoring the traffic between client and
server using wireshark.  Is it a good idea (and possible), to check the
traffic and make sure the data is encrypted?

About the fix, I realized that IXWebSocket already has :

            X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
            X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());

So, I guess that I should do something like this instead :

if (isIpAddress(host))
{
       //We are connecting to an ip address.  let OpenSSL validate the ip
address in SAN
        SSL_set1_host(_ssl, NULL);
        X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_connection);
        X509_VERIFY_PARAM_set1_ip_asc(param, "<ipaddress>");
}
else
{
            X509_VERIFY_PARAM* param = SSL_get0_param(_ssl_connection);
            X509_VERIFY_PARAM_set1_host(param, host.c_str(), host.size());
}

Does that make sense?

Thank you very much

Pierre-Luc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230215/e129a049/attachment.htm>

More information about the openssl-users mailing list