<html><head></head><body><div class="ydp9d3147a5yahoo-style-wrap" style="font-family:courier new, courier, monaco, monospace, sans-serif;font-size:16px;"><div><div dir="ltr" data-setdir="false">you are sending flooded emails wrongly. stop it.</div><div><br></div><div class="ydp9d3147a5signature"><div><font color="#2d2d2d" face="arial"><b><var id="ydp9d3147a5yui-ie-cursor"></var></b></font> </div><div><font color="#2d2d2d" face="arial"><b>Thanks and Regards<br></b></font><font color="#2d2d2d" face="arial"><font color="#2d2d2d" face="arial"><b>Sridhar PSV</b></font></font></div><font color="#2d2d2d" face="arial"></font><div><font color="#2d2d2d" face="arial"><div><b>Phone 571 244-5862</b></div></font></div></div></div>
<div><br></div><div><br></div>
</div><div id="ydp7972b741yahoo_quoted_1513837487" class="ydp7972b741yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Friday, December 16, 2022 at 04:08:38 PM CST, Pierre-Luc Boily <pierreluc.boily@gmail.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydp7972b741yiv9153410716"><div dir="ltr">Hello,<div><br></div><div><h2 style="margin:0px 0px 0.7em;padding:0px;border:0px;font-stretch:inherit;line-height:1.3;font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;vertical-align:baseline;color:rgb(35,38,41);"><u><font size="4">Details</font></u></h2></div><div>OS : WIndows 10</div><div>Arch : x64</div><div>Compiler : VisualStudio 2017</div><div><br></div><div><span style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;">I have a </span><strong style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;vertical-align:baseline;color:rgb(35,38,41);">c++ wss <a href="https://github.com/machinezone/IXWebSocket" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;" rel="nofollow" target="_blank">IXWebSocket</a> client</strong><span style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;"> that tries to connect to a </span><strong style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;vertical-align:baseline;color:rgb(35,38,41);">nodejs https/websocket server</strong><span style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;"> but the client refuses to connect and returns the error : </span><em style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;vertical-align:baseline;color:rgb(35,38,41);">OpenSSL failed - error:0A000086:SSL routines::certificate verify failed</em></div><div><span style="margin:0px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;vertical-align:baseline;"><h2 style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;margin:1.667em 0px 0.7em;padding:0px;border:0px;font-stretch:inherit;line-height:1.3;vertical-align:baseline;"><font size="4"><u>What I tried</u></font></h2><ol style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;margin:0px 0px 1.1em 30px;padding:0px;border:0px;font-stretch:inherit;line-height:inherit;vertical-align:baseline;list-style-position:initial;"><li style="margin-left: 0px; margin-top: 0px; margin-right: 0px; padding: 0px; border: 0px; font-style: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"><span style="font-weight:inherit;">I have a React front end using wss to communicate to my https nodejs server. </span><strong style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">It works -></strong><span style="font-weight: inherit; margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"> </span><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"><b>This confirms that my key and certificate are valid.</b></span></li><li style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">I also tried the same c++ client above, not secured (no wss) connecting to my same nodejs server, but http/websocket (non secure). <strong style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">It works</strong>.</li></ol><div style="color:rgb(35,38,41);"><font face="-apple-system, BlinkMacSystemFont, Segoe UI Adjusted, Segoe UI, Liberation Sans, sans-serif">So, I had to dig into the OpenSSL code and I found where the error is triggered, see code below. In my case </font><font face="arial, sans-serif"><em style="color:rgb(36,41,47);">s->verify_mode</em><span style="color:rgb(36,41,47);"> is equal to </span><em style="color:rgb(36,41,47);">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47);"> and </span><em style="color:rgb(36,41,47);">i</em><span style="color:rgb(36,41,47);"> equal to </span><em style="color:rgb(36,41,47);">0</em></font><span style="color:rgb(36,41,47);"><font face="arial, sans-serif" style="background-color: inherit;"> and I don't know if those values are OK or not.</font></span></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;"><span style="color:rgb(36,41,47);font-family:-apple-system, BlinkMacSystemFont, Helvetica, Arial, sans-serif, Color UI;"><br></span></div><div style="color:rgb(35,38,41);"><font face="arial, sans-serif"><span style="color:rgb(36,41,47);">While I wa</span></font><font face="arial, sans-serif"><span style="color:rgb(36,41,47);">s</span><span style="color:rgb(36,41,47);"> digging i</span><span style="color:rgb(36,41,47);">nto the code, I also realized that <i>SSL_OP_NO_TLSv1_3</i> is automagically defined for my code. I feel that it is incorrect</span></font><span style="font-family:-apple-system, BlinkMacSystemFont, Helvetica, Arial, sans-serif, Color UI;color:rgb(36,41,47);">.</span></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><span style="color:rgb(36,41,47);font-family:-apple-system, BlinkMacSystemFont, Helvetica, Arial, sans-serif, Color UI;font-size:14px;"><br></span></div><div style="font-size:15px;"><span style="font-size:14px;"><b><u><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47);">From </font><font face="monospace" color="#0000ff">statem_clnt.c</font><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color:rgb(36,41,47);"> line 1888</font></u></b><font face="-apple-system, BlinkMacSystemFont, Segoe UI, Noto Sans, Helvetica, Arial, sans-serif, Apple Color Emoji, Segoe UI Emoji" style="color: rgb(36, 41, 47); background-color: inherit;">:</font></span></div><div><font face="monospace" color="#0000ff"> if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {<br> SSLfatal(s, ssl_x509err2alert(s->verify_result),<br> SSL_R_CERTIFICATE_VERIFY_FAILED);<br> return WORK_ERROR;<br> }</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><u><b>Stacktrace</b></u>:</div><div><font face="monospace" size="1"><font color="#232629">> </font><font color="#0000ff">libssl-3-x64.dll!tls_post_process_server_certificate(ssl_st<br> libssl-3-x64.dll!ossl_statem_client_post_process_message(ss<br> libssl-3-x64.dll!read_state_machine(ssl_st * s) Line 675 <br> libssl-3-x64.dll!state_machine(ssl_st * s, int server) Line<br> libssl-3-x64.dll!ossl_statem_connect(ssl_st * s) Line 266 <br> libssl-3-x64.dll!SSL_do_handshake(ssl_st * s) Line 3937 C <br> libssl-3-x64.dll!SSL_connect(ssl_st * s) Line 1760 C <br> testWSClient.exe!ix::SocketOpenSSL::openSSLClientHandshake(<br> testWSClient.exe!ix::SocketOpenSSL::connect(const std::basi<br> testWSClient.exe!ix::WebSocketHandshake::clientHandshake(co<br> testWSClient.exe!ix::WebSocketTransport::connectToUrl(const<br> testWSClient.exe!ix::WebSocket::connect(int timeoutSecs) Li<br> testWSClient.exe!ix::WebSocket::checkConnection(bool firstC<br> testWSClient.exe!ix::WebSocket::run() Line 367 C++ </font></font><span style="font-size:15px;font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;"><font color="#0000ff" style="background-color: inherit;"> </font><font color="#232629" style="background-color: inherit;"> </font><br></span></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><u><b>IXWebClient, how key/cert are set </b>:</u></div><div><font face="monospace" color="#0000ff"><span style="font-size:15px;"> </span> ix::SocketTLSOptions tlsOptions;<br> tlsOptions.certFile = "WebRTC.test.crt";<br> tlsOptions.keyFile = "WebRTC.test.key";<br> tlsOptions.caFile = "WebRTC-CA.pem";<br> webSocket.setTLSOptions(tlsOptions);<br> std::string url("wss://localhost:8080");<br> webSocket.setUrl(url);</font><br></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><br></div><div style="color:rgb(35,38,41);"><font face="arial, sans-serif">No matter if the path of the key/certificate exists or not, I have the same error message from OpenSSL, which is weird...</font></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><br></div><div style="color:rgb(35,38,41);font-family:-apple-system, BlinkMacSystemFont, UI sans-serif;font-size:15px;"><b><u>So :</u></b> </div><div style="color:rgb(35,38,41);"><font face="arial, sans-serif">1. Any idea why I have <i>certificate verify failed</i>?</font></div><div style="color:rgb(35,38,41);"><font face="arial, sans-serif">2. Is it normal that <em style="color:rgb(36,41,47);">s->verify_mode</em><span style="color:rgb(36,41,47);"> is equal to </span><em style="color:rgb(36,41,47);">SSL_VERIFY_PEER</em><span style="color:rgb(36,41,47);"> and </span><em style="color:rgb(36,41,47);">i</em><span style="color:rgb(36,41,47);"> equal to </span><em style="color:rgb(36,41,47);">0</em></font></div><div><font face="arial, sans-serif"><font color="#24292f">3. Is it normal that </font><span style="color:rgb(36,41,47);"><i>SSL_OP_NO_TLSv1_3</i> is enabled in the code?</span></font></div><div><span style="color:rgb(36,41,47);font-family:arial, sans-serif;"><br></span></div><div><span style="color:rgb(36,41,47);font-family:arial, sans-serif;">Thanks a lot for any help.</span></div></span></div></div>
</div></div>
</div>
</div></body></html>