<div dir="ltr">Hello,<div><br></div><div><h2 style="margin:0px 0px 0.7em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.3;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;vertical-align:baseline;box-sizing:inherit;color:rgb(35,38,41)"><u style=""><font size="4" style="">Details</font></u></h2></div><div>OS : WIndows 10</div><div>Arch : x64</div><div>Compiler : VisualStudio 2017</div><div><br></div><div><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif">I have a </span><strong style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;vertical-align:baseline;box-sizing:inherit;color:rgb(35,38,41)">c++ wss <a href="https://github.com/machinezone/IXWebSocket" rel="nofollow noreferrer" target="_blank" style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit">IXWebSocket</a> client</strong><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif"> that tries to connect to a </span><strong style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;vertical-align:baseline;box-sizing:inherit;color:rgb(35,38,41)">nodejs https/websocket server</strong><span style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif"> but the client refuses to connect and returns the error : </span><em style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;vertical-align:baseline;box-sizing:inherit;color:rgb(35,38,41)">OpenSSL failed - error:0A000086:SSL routines::certificate verify failed</em></div><div><span style="margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;vertical-align:baseline;box-sizing:inherit"><h2 style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;margin:1.667em 0px 0.7em;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:1.3;vertical-align:baseline;box-sizing:inherit"><font size="4" style=""><u style="">What I tried</u></font></h2><ol style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;margin:0px 0px 1.1em 30px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;vertical-align:baseline;list-style-position:initial;box-sizing:inherit"><li style="margin-left:0px;margin-top:0px;margin-right:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit"><span style="font-weight:inherit">I have a React front end using wss to communicate to my https nodejs server. </span><strong style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit">It works -></strong><span style="font-weight:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit"> </span><span style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit"><b>This confirms that my key and certificate are valid.</b></span></li><li style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit">I also tried the same c++ client above, not secured (no wss) connecting to my same nodejs server, but http/websocket (non secure). <strong style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline;box-sizing:inherit">It works</strong>.</li></ol><div style="color:rgb(35,38,41)"><font face="-apple-system, BlinkMacSystemFont, Segoe UI Adjusted, Segoe UI, Liberation Sans, sans-serif">So, I had to dig into the OpenSSL code and I found where the error is triggered, see code below.  In my case </font><font face="arial, sans-serif"><em style="box-sizing:border-box;color:rgb(36,41,47)">s->verify_mode</em><span style="color:rgb(36,41,47)"> is equal to </span><em style="box-sizing:border-box;color:rgb(36,41,47)">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47)"> and </span><em style="box-sizing:border-box;color:rgb(36,41,47)">i</em><span style="color:rgb(36,41,47)"> equal to </span><em style="box-sizing:border-box;color:rgb(36,41,47)">0</em></font><span style="box-sizing:border-box;color:rgb(36,41,47)"><font face="arial, sans-serif"> and I don't know if those values are OK or not.</font></span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif"><span style="box-sizing:border-box;color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji""><br></span></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif" style=""><span style="box-sizing:border-box;color:rgb(36,41,47)">While I wa</span></font><font face="arial, sans-serif" style=""><span style="box-sizing:border-box;color:rgb(36,41,47)">s</span><span style="box-sizing:border-box;color:rgb(36,41,47)"> digging i</span><span style="box-sizing:border-box;color:rgb(36,41,47)">nto the code, I also realized that <i>SSL_OP_NO_TLSv1_3</i> is automagically defined for my code.  I feel that it is incorrect</span></font><span style="font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";box-sizing:border-box;color:rgb(36,41,47)">.</span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><span style="box-sizing:border-box;color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><br></span></div><div style="font-size:15px"><span style="box-sizing:border-box;font-size:14px"><b style=""><u style=""><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47)">From </font><font face="monospace" style="" color="#0000ff">statem_clnt.c</font><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47)"> line 1888</font></u></b><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47)">:</font></span></div><div style=""><font face="monospace" style="" color="#0000ff">    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {<br>        SSLfatal(s, ssl_x509err2alert(s->verify_result),<br>                 SSL_R_CERTIFICATE_VERIFY_FAILED);<br>        return WORK_ERROR;<br>    }</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><u><b>Stacktrace</b></u>:</div><div style=""><font face="monospace" style="" size="1"><font color="#232629">>    </font><font color="#0000ff">libssl-3-x64.dll!tls_post_process_server_certificate(ssl_st<br>       libssl-3-x64.dll!ossl_statem_client_post_process_message(ss<br>  libssl-3-x64.dll!read_state_machine(ssl_st * s) Line 675        <br>     libssl-3-x64.dll!state_machine(ssl_st * s, int server) Line<br>  libssl-3-x64.dll!ossl_statem_connect(ssl_st * s) Line 266       <br>     libssl-3-x64.dll!SSL_do_handshake(ssl_st * s) Line 3937 C  <br>         libssl-3-x64.dll!SSL_connect(ssl_st * s) Line 1760      C      <br>   testWSClient.exe!ix::SocketOpenSSL::openSSLClientHandshake(<br>  testWSClient.exe!ix::SocketOpenSSL::connect(const std::basi<br>  testWSClient.exe!ix::WebSocketHandshake::clientHandshake(co<br>  testWSClient.exe!ix::WebSocketTransport::connectToUrl(const<br>  testWSClient.exe!ix::WebSocket::connect(int timeoutSecs) Li<br>  testWSClient.exe!ix::WebSocket::checkConnection(bool firstC<br>  testWSClient.exe!ix::WebSocket::run() Line 367  C++   </font></font><span style="font-size:15px;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif"><font color="#0000ff">   </font><font color="#232629">  </font><br></span></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><u><b>IXWebClient, how key/cert are set </b>:</u></div><div style=""><font face="monospace" style="" color="#0000ff"><span style="font-size:15px">  </span>  ix::SocketTLSOptions tlsOptions;<br>    tlsOptions.certFile = "WebRTC.test.crt";<br>    tlsOptions.keyFile = "WebRTC.test.key";<br>    tlsOptions.caFile = "WebRTC-CA.pem";<br>    webSocket.setTLSOptions(tlsOptions);<br>    std::string url("wss://localhost:8080");<br>    webSocket.setUrl(url);</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><br></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif" style="">No matter if the path of the key/certificate exists or not, I have the same error message from OpenSSL, which is weird...</font></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI","Liberation Sans",sans-serif;font-size:15px"><b><u>So :</u></b> </div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif">1. Any idea why I have <i>certificate verify failed</i>?</font></div><div style="color:rgb(35,38,41)"><font face="arial, sans-serif">2. Is it normal that <em style="box-sizing:border-box;color:rgb(36,41,47)">s->verify_mode</em><span style="color:rgb(36,41,47)"> is equal to </span><em style="box-sizing:border-box;color:rgb(36,41,47)">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47)"> and </span><em style="box-sizing:border-box;color:rgb(36,41,47)">i</em><span style="color:rgb(36,41,47)"> equal to </span><em style="box-sizing:border-box;color:rgb(36,41,47)">0</em></font></div><div><font face="arial, sans-serif"><font color="#24292f">3. Is it normal that </font><span style="color:rgb(36,41,47)"><i>SSL_OP_NO_TLSv1_3</i> is enabled in the code?</span></font></div><div><span style="color:rgb(36,41,47);font-family:arial,sans-serif"><br></span></div><div><span style="color:rgb(36,41,47);font-family:arial,sans-serif">Thanks a lot for any help.</span></div></span></div></div>