0
I'm currently using the following code to generate a local https server
to generate the crt
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
server.py
import os
import BaseHTTPServer, SimpleHTTPServer
import ssl
import sys
cdir = os.getcwd()
os.chdir(cdir)
httpd = BaseHTTPServer.HTTPServer(('', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
when i connect to it with my embedded device i receive the error
mbedtls_ssl_handshake failed
==> The certificate Common Name (CN) does not match with the expected CN
How can i overcome this problem?
1well, your cert CN must match the domain in the URL you navigated to in your browser or you will recieve name mismatch errors. – Frank Thomas – 2017-09-29T00:39:40.870
So in a local environment should i use http:// local_ip/ or just "localp_ip" or "https:// local_ip" ? – user217354 – 2017-09-29T06:01:16.613
you won't be able to avoid a CN mismatch if you are navigating to an IP address. it has to be a domain name. – Frank Thomas – 2017-09-29T12:01:45.103
Do you know how to set a local DNS usable with that python server script? – user217354 – 2017-09-29T12:06:17.470
DNS is an external phenomenon from the websites perspective. The site must be listening on a server IP, so just make sure that server IP is known by a DNS server (I use Bind on my LAN) under a given name. provided that your phone is using the DNS server when you are on your LAN (use DHCP on your wireless to push it) you can point your browser to the site using the DNS name. That name is the one that needs to be registered in your cert. Of course this only works for inside your LAN, but the same principals apply for public hosting. – Frank Thomas – 2017-09-29T12:16:52.223
For the potential certificate problems, see How to create a self-signed certificate with openssl? Be sure all the names, like
– jww – 2017-10-03T20:55:22.633localhost
andlocal_ip
, are listed in the SAN. Use a friendly name for the CN, like "My Test Certificate" because modern user agents have deprecated host names in the CN. They don't use the CN any longer.Since you are trying to do this in Python, I think you could ask this on Stack Overflow. But the name that matters is the name in DNS; not the name you give the server in your Python code. – jww – 2017-10-03T20:56:55.760