TLS handshake failed

188 views
Skip to first unread message

Chris

unread,
Jan 12, 2021, 11:58:16 PM1/12/21
to WebSocket++

Sorry if this shouldn't be in two spots, I'm just getting a little desperate to get this to work for my internship.

I've built all the print_client_tls and echo_server_tls examples on both on my local machine (Big Sur OS X) and on an Ubuntu remote server, but both get the TLS handshake failed error when the client tries to connect to the server. I've tried (I think) every possible solution offered in the issues here, from changing the SSL protocol to tls12 to changing the context flags for both the client and server. Should we not be using the pem files for the server/client i.e. should we be generating new ones? I have these in the binary dir containing all the executables.

I would really appreciate a response, I've spent the past three full days working on this to no avail :(. As you can probably tell, I'm a little less experienced with networking in general and SSL in particular.

Peter Thorson

unread,
Jan 14, 2021, 4:30:24 PM1/14/21
to WebSocket++
Hi Chris,

To safely use WebSocket servers in TLS mode requires valid, signed security certificates trusted by the cert stores of your target users. The example certificates that ship with the project are self signed certificates intended to demonstrate formats and allow very limited testing. They are definitely not trusted by browsers. You may be able to convince your operating system to trust the example cert and allow you to use it with a browser, the exact mechanisms for this are operating system and browser specific and out of scope here.

One potential hint that has been helpful to others in the past is that some browsers will allow you to manually whitelist a certificate via an HTTPS website but have no GUI to do this for WebSocket connections. By accepting/trusting a certificate on one HTTPS site that same cert is trusted in other contexts, like WSS connections. So if you load the WS++ example cert in an HTTPS web server (which could be a WebSocket++ program with an http handler) you might be able to get to the gui to trust the cert enough for limited testing purposes.

A properly signed cert from Lets Encrypt or a CA of your choice is certainly a better (and required medium/long term) solution.

Christopher Barkachi

unread,
Jan 14, 2021, 4:36:21 PM1/14/21
to Peter Thorson, WebSocket++
Hi Peter,

I appreciate the response. I understand that the cert may not be trusted by a browser, but I would assume that it should be trusted by the print_client_tls example? I can’t even get a successful handshake there.

--
You received this message because you are subscribed to a topic in the Google Groups "WebSocket++" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/websocketpp/fQ2UlnF5fZ4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to websocketpp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/websocketpp/d11a268f-2193-40c1-a116-eeba9a050c21n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages