zaphoyd
TLS handshake failed - issue in the TLS client example
Hello,
first of all thanks a lot for the great library.
I wanted to share a problem that we discovered in the TLS client example that I adopted for my project.
We struggled with the following:
- Connecting to a localhost server is OK (self-signed certs)
- Connecting to a real server resulted in TLS handshake errors even though the certs were ok.
When digging deeper we noticed that actually the handshake is fine, but the verify_subject_alternative_name() and verify_common_name() are failing to correctly compare the declared host name with value in the cert file IF that value contains wildcards.
After fixing this function (fairly trivial) we completed the connection perfectly fine.
PS. I'm not providing the patch directly since it's fairly easy to fix and it's not a real bug per se since the example is meant to be used with localhost.
After fixing this function (fairly trivial) we completed the connection perfectly fine.
PS. I'm not providing the patch directly since it's fairly easy to fix and it's not a real bug per se since the example is meant to be used with localhost.
Why are you unwilling to share what you did to fix it?
Wasn't it explained already in my PS?
I don't have the repo access atm, I can post the exact "patch" this Friday if that's going to help someone.
Honestly though, look at the two listed function meanwhile and see how the wildcards are handled.
Just replace this function with this (to remove the verifications) and it will work:
context_ptr on_tls_init(const char * hostname, websocketpp::connection_hdl) { context_ptr ctx = websocketpp::lib::make_sharedboost::asio::ssl::context(boost::asio::ssl::context::sslv23); return ctx; }
Patch that solved it for me. Long story short - library examples couldn’t handle wildcard hsot name resulution. I added a fix for that. Note, it's a slightly modified code base, but should give you an idea. ocpp-ssl.patch.txt