Client Websocket SSL — Connect to specific IP address

Question

Let's say there is a website called https://example.com . A DNS lookup on the domain returns the following A records:

1.1.1.1 A example.com
1.1.1.2 A example.com
1.1.1.3 A example.com
1.1.1.4 A example.com

Each one of these addresses has the SSL certificate for example.com and is running a websocket server on port 443.

A client can connect to one of the servers using something like

var wss = new WebSocket("wss://example.com");

This will connect the client to a server based on DNS Round Robin: the client has no control over what server she connects to.

My question is the following:

How can a client connect to a specific address without having certificate issues?

For example, if the client knows that she wishes to connect to 1.1.1.4 and tries to connect with

var wss = new WebSocket("wss://1.1.1.4");

she will encounter an ssl error since the server cannot have the individual address as an alternative name in its certificate.

Is it possible to specify the hostname along with an individual address when making the connection ; something like

var wss = new WebSocket("wss://example.com?ip=1.1.1.4");

I believe you can do this using CURL with something like curl https:// DOMAIN.TLD --resolve 'DOMAIN.TLD:443:IP_ADDRESS'

Answer 1

To avoid the certificate issue, request a domain name instead of an IP. I suggest this :

 1.1.1.1 A example.com 1.1.1.2 A example.com 1.1.1.3 A example.com 1.1.1.4 A example.com 1.1.1.1 A a.example.com 1.1.1.2 A b.example.com 1.1.1.3 A c.example.com 1.1.1.4 A d.example.com 

and one single SAN certificate for all of the 5 domains (example.com + [ad].example.com) You can test any of [ad].example.com individually, or example.com, all will respond with the same certificate and there's no issue I think.