<div dir="ltr">So, I updated my hosts file. I added a fake url pointing to the server. Then, I created a new certificate with a SAN pointing to the fake URL et voilà, my c++ wss client can connect to my wss server.<div><br></div><div>So, your assumption is correct, the IXWebSocket implementation of openssl cannot use an ip address.</div><div><br></div><div>Thank you.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 13 févr. 2023, à 15 h 07, Pierre-Luc Boily <<a href="mailto:pierreluc.boily@gmail.com">pierreluc.boily@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">You can see the server cert here : <a href="https://pastebin.com/Eb8b9tUf" target="_blank">https://pastebin.com/Eb8b9tUf</a><div><br></div><div>Indeed, server cert shows "localhost", but it also shows the ip address :</div><div><br></div><div> X509v3 Subject Alternative Name:<br> DNS:localhost, IP Address:192.168.230.138, IP Address:127.0.0.1<br></div><div><br></div><div>By the way, the author of the IXWebSocket c++ library told me :</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><i>This might be a high level SSL stuff, where you actually need a real hostname and can't use an IP.</i></span></blockquote><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><br></span></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">But on the other hand, I have a javascript websocket client that can connect to my wss server using the same certificate as the c++ client.</span></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><br></span></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">All of this is for test purposes, eventually, I will use a domain name. But as a workaround, I thought to use a fake domain name that points to the server IP address. Maybe this will work?</span></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px"><br></span></div><div><span style="color:rgb(36,41,47);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">Thank you.</span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 13 févr. 2023, à 10 h 03, Mark Hack <<a href="mailto:markhack@markhack.com" target="_blank">markhack@markhack.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="text-align:left;direction:ltr"><div>I have a few ideas what the issue is. Can you start by either attaching the server cert or showing it in text form using the command "openssl x509 ..."</div><div><br></div><div>Looking at the IX code (and it was a very quick look), I suspect that only the CN is validated. If the server cert shows "localhost" then that is probably the issue.</div><div><br></div><div><br></div><div>Regards</div><div><br></div><div>Mark Hack</div><div><br></div><div>On Fri, 2023-02-10 at 16:13 -0500, Pierre-Luc Boily wrote:</div><blockquote type="cite" style="margin:0px 0px 0px 0.8ex;border-left:2px solid rgb(114,159,207);padding-left:1ex"><div dir="ltr">Hello,<br><br>I have a <i>IXWebSocket</i> c++ wss client connecting to a <i>Node.js</i> wss server(websocket npm package). Everything is fine as long as the client connects to `<font face="monospace">wss://localhost:8080</font>`. Soon as I use the ip address of the <i>Node.js</i> wss server, I have the error "<i>OpenSSL failed - error:0A000086:SSL routines::certificate verify failed</i>"<br><br>## Certificate chain creation ##<br>I created my own private root ca. I used those commands to generate <i>root ca</i> key/certificate and <i>server</i> key/certificate:<br><br> <font face="monospace"> $ openssl genpkey -aes256 -out root-ca/private/ca.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048<br> $ openssl req -config root-ca/root-ca.conf -key root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca -out root-ca\certs\ca.crt<br> $ openssl genpkey -out server/private/server.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048<br> $ openssl req -key server\private\server.private.key -new -sha256 -out server\csr\server.csr<br> $ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days 365 -notext -in server\csr\server.csr -out server\certs\server.crt</font><br><br>The configuration has a `<font face="monospace">subjectAltName</font>` for both root and server and it looks like this :<br><br> See config file : <a href="https://pastebin.com/kAcwkp9w" target="_blank">https://pastebin.com/kAcwkp9w</a><br><br>The certificate chain looks valid between my *root ca* and my *server*:<br><br><font face="monospace"> $ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt<br> server\certs\server.crt: OK</font><br><br><br>Both `<font face="monospace">ca.crt</font>` and `<font face="monospace">server.crt</font>` have a reference to my ip address, so I used the <font face="monospace">subjectAltName </font>parameter to define it. I thought that my *root ca* would need it (I am not even sure that it makes sense to have a domain on the *root ca*), but it doesn't make any difference.<br><br><font size="4"><b>Code that is not working</b></font><br><br><b>My IXWebSocket c++ client :</b><br><br><a href="https://pastebin.com/tLGi3amA" target="_blank">https://pastebin.com/tLGi3amA</a><br><br><font size="4"><b>Code that is working</b></font><br><br><b>wss javascript client:</b><br><br>I also coded a javascript client (using the same npm package as my server, not ) and this little client can connect using the ip address!!<br><br><a href="https://pastebin.com/Huzv59gX" target="_blank">https://pastebin.com/Huzv59gX</a><br><br><br><b>My Node.js server :</b><br><br><a href="https://pastebin.com/QCYg5z1B" target="_blank">https://pastebin.com/QCYg5z1B</a><br><br><br><b><font size="4">Questions : </font></b><br>1. Any idea why my c++ client cannot connect using an ip address to the server, while the javascript client can? (using the same certificate chain)<br>2. If not, any idea how I could debug this?<br>3. Would it be possible that the problem is a high level SSL stuff, where you actually need a real hostname and can't use an IP?<br><br></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>