Badder when connecting a client to a rust secure websocket server

I made a secure websocket server based on RustTls, my problem is when I try to connect a valid client (made with python) I keep getting "TLS accept failed: invalid certificate: BadDER" from the server. the client can connect to other websocket servers with no problem.

Knowing that I generated the signed certificates (both for Server and Client) using openssl commands, and both certificate work properly with other TLS sockets (made with C and python).

My question is, what does Badder means ? and how I can resolve this ? can I force the server to accepte invalid certificate ?


Probably you're missing a SAN; see this issue and this comment in particular. (Or this one, but only as a last resort.)

Thanks for the reply, my certificates both have subject common name, isn't the same as SAN ? if not what is the difference ?

No, the CN can only be a single entry, while you can have a lot of SAN entries (and entries that aren't DNS names/wildcards). For HTTPS, the CN is not used if there's a SAN, so include the CN as a SAN. Moreover, using CN is deprecated for HTTPS, so always generate a SAN when generating for HTTPS.

(Most browsers will fall back to the CN if there is no SAN for backwards compatibility, but as you've found, that's not the case for RustTls. (Without a custom verifier. Protocols that aren't HTTPS have different verification behavior around CN and SAN.))

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.