Hello,
I have a IXWebSocket c++ wss client connecting to a Node.js wss server(websocket npm package). Everything is fine as long as the client connects to `wss://localhost:8080`. Soon as I use the ip address of the Node.js wss server, I have the error "OpenSSL failed - error:0A000086:SSL routines::certificate verify failed"
## Certificate chain creation ##
I created my own private root ca. I used those commands to generate root ca key/certificate and server key/certificate:
$ openssl genpkey -aes256 -out root-ca/private/ca.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -config root-ca/root-ca.conf -key root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca -out root-ca\certs\ca.crt
$ openssl genpkey -out server/private/server.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -key server\private\server.private.key -new -sha256 -out server\csr\server.csr
$ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days 365 -notext -in server\csr\server.csr -out server\certs\server.crt
The configuration has a `subjectAltName` for both root and server and it looks like this :
See config file : https://pastebin.com/kAcwkp9w
The certificate chain looks valid between my *root ca* and my *server*:
$ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt
server\certs\server.crt: OK
Both `ca.crt` and `server.crt` have a reference to my ip address, so I used the subjectAltName parameter to define it. I thought that my *root ca* would need it (I am not even sure that it makes sense to have a domain on the *root ca*), but it doesn't make any difference.
Code that is not working
My IXWebSocket c++ client :
https://pastebin.com/tLGi3amA
Code that is working
wss _javascript_ client:
I also coded a _javascript_ client (using the same npm package as my server, not ) and this little client can connect using the ip address!!
https://pastebin.com/Huzv59gX
My Node.js server :
https://pastebin.com/QCYg5z1B
Questions :
1. Any idea why my c++ client cannot connect using an ip address to the server, while the _javascript_ client can? (using the same certificate chain)
2. If not, any idea how I could debug this?
3. Would it be possible that the problem is a high level SSL stuff, where you actually need a real hostname and can't use an IP?
I have a IXWebSocket c++ wss client connecting to a Node.js wss server(websocket npm package). Everything is fine as long as the client connects to `wss://localhost:8080`. Soon as I use the ip address of the Node.js wss server, I have the error "OpenSSL failed - error:0A000086:SSL routines::certificate verify failed"
## Certificate chain creation ##
I created my own private root ca. I used those commands to generate root ca key/certificate and server key/certificate:
$ openssl genpkey -aes256 -out root-ca/private/ca.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -config root-ca/root-ca.conf -key root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca -out root-ca\certs\ca.crt
$ openssl genpkey -out server/private/server.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -key server\private\server.private.key -new -sha256 -out server\csr\server.csr
$ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days 365 -notext -in server\csr\server.csr -out server\certs\server.crt
The configuration has a `subjectAltName` for both root and server and it looks like this :
See config file : https://pastebin.com/kAcwkp9w
The certificate chain looks valid between my *root ca* and my *server*:
$ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt
server\certs\server.crt: OK
Both `ca.crt` and `server.crt` have a reference to my ip address, so I used the subjectAltName parameter to define it. I thought that my *root ca* would need it (I am not even sure that it makes sense to have a domain on the *root ca*), but it doesn't make any difference.
Code that is not working
My IXWebSocket c++ client :
https://pastebin.com/tLGi3amA
Code that is working
wss _javascript_ client:
I also coded a _javascript_ client (using the same npm package as my server, not ) and this little client can connect using the ip address!!
https://pastebin.com/Huzv59gX
My Node.js server :
https://pastebin.com/QCYg5z1B
Questions :
1. Any idea why my c++ client cannot connect using an ip address to the server, while the _javascript_ client can? (using the same certificate chain)
2. If not, any idea how I could debug this?
3. Would it be possible that the problem is a high level SSL stuff, where you actually need a real hostname and can't use an IP?
