Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting SSLException : Unacceptable certificate from abc.example.com: application verification failure #4736

Open
gokulkrishna-k opened this issue Oct 15, 2024 · 1 comment
Open

Getting SSLException : Unacceptable certificate from abc.example.com: application verification failure #4736

gokulkrishna-k opened this issue Oct 15, 2024 · 1 comment

Comments

@gokulkrishna-k
Copy link

when establishing a WebSocket connection to our server this exception occurs.
Unacceptable certificate from abc.example.com: application verification failure
The exception is captured by const Poco::Net::SSLException &e , kindly refer the code below

initialize() will be called before connect()

void WSSyncSocket::initialize() {
    std::string hostName = getServerHostName();
    int hostPort = getServerPort();

    lpHttpRequest = std::shared_ptr<HTTPRequest>(new HTTPRequest(
        Poco::Net::HTTPRequest::HTTP_GET, "/" + serverEndpointUrl, HTTPMessage::HTTP_1_1));

    Poco::Net::initializeSSL();
    _isSSLInitialized = true;

    ptrMyInvalidCertificateHandler = new Poco::Net::MyInvalidCertificateHandler(
        false, _isSystemMode, (WsLogger) ? WsLogger : nullptr);

    ptrHandler = ptrMyInvalidCertificateHandler;

    lpWssContext = (new Poco::Net::Context(Poco::Net::Context::TLS_CLIENT_USE, "", "", "",
                                           Poco::Net::Context::VERIFY_RELAXED, 9, true));
    lpWssContext->requireMinimumProtocol(Poco::Net::Context::PROTO_TLSV1_2);
    lpWssContext->setInvalidCertificateHandler(ptrMyInvalidCertificateHandler);

    if (!ptrHandler)
        Poco::Net::SSLManager::instance().initializeClient(0, ptrHandler, lpWssContext);

    lpClientSession = std::shared_ptr<HTTPClientSession>(
        (HTTPClientSession *)new HTTPSClientSession(hostName, hostPort, lpWssContext));
}

bool WSSyncSocket::connect() {
    bool connectResult = false;

    try {
        if ((lpHttpRequest != NULL) && (lpClientSession != NULL)) {
            if (WsLogger)
                WsLogger->log(CSLoggerUtils::CSLogger::LOG_INFO,
                              "Creating a websocket connection object");

            lpWebSocket = std::shared_ptr<WebSocket>(
                new WebSocket(*(lpClientSession.get()), *(lpHttpRequest.get()), (httpResponse)));

            if (lpWebSocket != NULL) {
                initSocketConfigurations();

                if (WsLogger)
                    WsLogger->log(CSLoggerUtils::CSLogger::LOG_INFO,
                                  "WebSocket Connection Successful");

                connectResult = true;
            } else {
                if (WsLogger)
                    WsLogger->log(CSLoggerUtils::CSLogger::LOG_INFO, "WebSocket Connection failed");
            }
        } else {
            if (WsLogger)
                WsLogger->log(CSLoggerUtils::CSLogger::LOG_ERROR,
                              "HTTPRequest and ClientSession parameters not initialized");
            setLastError(SOCKUTIL_ERROR_SOCKET_NOT_INITIALIZED);
        }
    } catch (WebSocketException &wsExcep) {
        if (WsLogger)
            WsLogger->log(CSLoggerUtils::CSLogger::LOG_ERROR, "Code : %d, WebSocketException - %s",
                          wsExcep.code(), wsExcep.message());
        setLastError(wsExcep.code(), (char *)wsExcep.what());
    } catch (const Poco::Net::SSLException &e) {
        std::string errorMessage = std::string((char *)e.what());

        if (WsLogger) {
            WsLogger->log(CSLoggerUtils::CSLogger::LOG_ERROR,
                          "SSLException Code : %d, Message : %s", e.code(), e.message());
        }

        setLastError(e.code(), (char *)errorMessage.c_str());
    } catch (std::exception &excep) {
        if (WsLogger)
            WsLogger->log(CSLoggerUtils::CSLogger::LOG_ERROR, "Exception - %s",
                          std::string(excep.what()));
        connectResult = false;
        setLastError(SOCKUTIL_STD_EXCEPTION, (char *)excep.what());
    } catch (...) {
        if (WsLogger) WsLogger->log(CSLoggerUtils::CSLogger::LOG_ERROR, "Exception - UNKNOWN");
        connectResult = false;
        setLastError(SOCKUTIL_STD_EXCEPTION, ("UNKNOWN_EXCEPTION"));
    }

    return connectResult;
}

I observed that this exception only occurs when the SSL cert received from the server contains different CN instead of the server endpoint I'm connecting to (in case Self Signed firewall certificates).

I printed the certificate , here is the sample as i cannot share the original certificate

Certificate Validation Success, Certificate Details: Subject: CN=*.xyz.com, Issued Name: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA, Common Name: *.xyz.com, Serial Number: 90F3****DEE, Expires on: 2025-05-02 05:29:59, Signature Algorithm: sha256WithRSAEncryption

xyz.com is not the server I'm trying to connect to.

#1414 - this is similar to my issue but in my case I'm using WebSocket with HTTPClientSession

Thanks in advance for any suggestions.
@micheleselea
Copy link
Contributor

try using Poco::Net::Context::VERIFY_NONE
because if you use VERIFY_RELAXED you need to create the Poco::Net::Context giving the correct caLocation file. For example you can use a .pem file from mozilla firefox you can find it online

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@micheleselea @gokulkrishna-k and others