Is like to use TLS for a websocket client from browser javascript.
The problem is the server is started dynamically by talking to a REST service and when started an endpoint ip is returned. I.e the server is an ec2 onstance that has a new unique ip when started. That endpoint will not have a dns name and so when doing tls the certificate will not match against the ip.
I'd there a way to bypass the dns name check but still complete the connection and have the benefit of an encryped session?
The key to the problem is this: If your SSL certificate causes a warning of any sort, wss:// WebSocket connections will immediately fail, and there is no canonical way to detect this.
It seems that you are using self-generated certificates issued to an IP. Certificates are usually issued to server names, but also can be bound to an IP address Are SSL certificates bound to the servers ip address?
But in this case, if IP changes your TLS connection will give a warning from the client, so the browser will disconnect
You could use a dynamic DNS with dynamic IPs with a wildcard certificate. For example
Certificate issued to *.domain.com
DNS
conn1.domain.com -> IP1
conn2.domain.com -> IP2
conn3.domain.com -> IP3
If you can not work with a totally dynamic DNS, i could suggest use a fixed range of IP-names and certificates issued to this ip. select the appropriate certificate when you know the ip at launch time
