`tls: failed to verify certificate: x509: cannot validate certificate for <redacted> because it doesn't contain any IP SANs`

[shamefulCake1]

When running a client, I am receiving an error:

error:     dial server <redacted>:19190: CRYPTO_ERROR 0x12a (local): tls: failed to verify certificate: x509: cannot validate certificate for <redacted> because it doesn't contain any IP SANs

But in fact, since both clients and the server have a pre-shared cert, (server-cas-file=ca.pem), there is no reason to do IP validation. Moreover, doing IP validation only creates an inconvenience, because my server is running on a dynamic (but real, public) IP which changes every 24 hours, so I would have to re-generate it often.

Please, consider adding an option to trust any valid certificate chain, regardless of the IP/domain.

[ingon]

So you are running connect server with a self-signed certificate? Does this include a domain name?

Once way to "fix" this is to provide an option to basically set InsecureSkipVerify to the tls.Config. However, in this case your client will accept any server certificate, which is not great.

By default connet will set the hostname from --server-addr. If we don't do that, quic-go will set the IP of the target server as a server name. However, if your server is unresolvable (e.g. this is not added to a DNS entry) the connection will fail again. But, I believe that if we had an option to set --server-addr <IP> and say --server-name example.com and your certificate includes example.com things will work.

[shamefulCake1]

Yes, self-signed cert and no domain name.

SAN is just empty.

But openssl at least has an option of "trust the server if the ca is the same".

[shamefulCake1]

In openssl you can do something like

SSL_CTX_set_verify(
    ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

[ingon]

As I mentioned, it looks like quic-go will always set the SNI extension (either to the cert domain name or IP address it connects to) and then the tls library will verify that SNI. So, I think to achieve this, the client will need to do custom certificate validation and set InsecureSkipVerify 🤔

[ingon]

How about creating a certificate that uses .invalid tld? This is what connet uses internally.