You can see the server cert here : https://pastebin.com/Eb8b9tUf
Indeed, server cert shows "localhost", but it also shows the ip address :
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:192.168.230.138, IP Address:127.0.0.1
DNS:localhost, IP Address:192.168.230.138, IP Address:127.0.0.1
By the way, the author of the IXWebSocket c++ library told me :
This might be a high level SSL stuff, where you actually need a real hostname and can't use an IP.
But on the other hand, I have a _javascript_ websocket client that can connect to my wss server using the same certificate as the c++ client.
All of this is for test purposes, eventually, I will use a domain name. But as a workaround, I thought to use a fake domain name that points to the server IP address. Maybe this will work?
Thank you.
Le lun. 13 févr. 2023, à 10 h 03, Mark Hack <markhack@xxxxxxxxxxxx> a écrit :
I have a few ideas what the issue is. Can you start by either attaching the server cert or showing it in text form using the command "openssl x509 ..."Looking at the IX code (and it was a very quick look), I suspect that only the CN is validated. If the server cert shows "localhost" then that is probably the issue.RegardsMark HackOn Fri, 2023-02-10 at 16:13 -0500, Pierre-Luc Boily wrote:Hello,
I have a IXWebSocket c++ wss client connecting to a Node.js wss server(websocket npm package). Everything is fine as long as the client connects to `wss://localhost:8080`. Soon as I use the ip address of the Node.js wss server, I have the error "OpenSSL failed - error:0A000086:SSL routines::certificate verify failed"
## Certificate chain creation ##
I created my own private root ca. I used those commands to generate root ca key/certificate and server key/certificate:
$ openssl genpkey -aes256 -out root-ca/private/ca.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -config root-ca/root-ca.conf -key root-ca\private\ca.private.key -x509 -days 7500 -sha256 -extensions v3_ca -out root-ca\certs\ca.crt
$ openssl genpkey -out server/private/server.private.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ openssl req -key server\private\server.private.key -new -sha256 -out server\csr\server.csr
$ openssl ca -config root-ca\root-ca.conf -extensions server_cert -days 365 -notext -in server\csr\server.csr -out server\certs\server.crt
The configuration has a `subjectAltName` for both root and server and it looks like this :
See config file : https://pastebin.com/kAcwkp9w
The certificate chain looks valid between my *root ca* and my *server*:
$ openssl verify -CAfile root-ca\certs\ca.crt server\certs\server.crt
server\certs\server.crt: OK
Both `ca.crt` and `server.crt` have a reference to my ip address, so I used the subjectAltName parameter to define it. I thought that my *root ca* would need it (I am not even sure that it makes sense to have a domain on the *root ca*), but it doesn't make any difference.
Code that is not working
My IXWebSocket c++ client :
https://pastebin.com/tLGi3amA
Code that is working
wss _javascript_ client:
I also coded a _javascript_ client (using the same npm package as my server, not ) and this little client can connect using the ip address!!
https://pastebin.com/Huzv59gX
My Node.js server :
https://pastebin.com/QCYg5z1B
Questions :
1. Any idea why my c++ client cannot connect using an ip address to the server, while the _javascript_ client can? (using the same certificate chain)
2. If not, any idea how I could debug this?
3. Would it be possible that the problem is a high level SSL stuff, where you actually need a real hostname and can't use an IP?