-
Notifications
You must be signed in to change notification settings - Fork 320
Description
Description
When using iroh 0.90.0 and a custom relay server on a Windows system, HTTPS detection consistently fails with a certificate verification error. The error is caused by RelayUrl automatically adding a dot to the end of the domain name (generating an FQDN like relay-node1.example.com), but standard TLS certificates only include domains without a trailing dot (e.g., relay-node1.example.com).
Using iroh alone works fine, but my application requires iroh + rust_socketio. Rust_socketio uses native TLS, and I'm unsure if this is a problem with rust_socketio or iroh. I tried forking rust_socketio and adjusting dependencies, but it failed, and I encountered many stack overflow issues that I haven't resolved yet.
Using the iroh example listen example alone, or removing rust_socketio, works perfectly. The problem is that I need both libraries to work together. I don't know how to solve this right now. I'm only testing on Windows 11; the situation on Linux is unknown.
Or is there a better solution?
Error Message
reqwest::Error {
kind: Request,
url: "https://relay-node1.example.com./ping",
source: hyper_util::client::legacy::Error(
Connect,
Os {
code: -2146762481,
kind: Uncategorized,
message: "Certificate CN The name does not match the transmitted value.
}
)
} Windows error code -2146762481 corresponds to the CERT_E_CN_NO_MATCH error for Schannel.
Root Cause
FQDN Design: RelayUrl::from() automatically adds a dot to the end of the domain name to create a fully qualified domain name (FQDN) (relay_url.rs:24-38).
Certificate Mismatch: Standard TLS certificates (such as Let's Encrypt and commercial CAs) do not include a trailing dot in the CN or SAN fields because this is not standard practice.
Strict Validation: When reqwest uses a native-tls backend on Windows, it relies on Schannel, and Schannel does not canonicalize trailing dots when performing strict hostname matching.
Impact
I primarily develop using Windows. Currently, the impact is that whenever this certificate error occurs, the connection to the relay becomes unstable, with a success rate of around 30%. If Rust SocketIO is removed, the certificate error disappears, and the success rate becomes almost 95% or even higher.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status