Menu
I have a website https://www.foo.com and on this site I connect to other machines with a websocket (some random ip address of a machine that has our software running on it). i.e. I connect to a websocket running on ws://123.45.67:80
The problem is that this site is served over HTTPS and the websocket server that I want to connect to then also requires a secure connection (WSS) and won't work with a regular websocket (WS).
The question is: how do I sign the certificate that will reside on each websocket server that is not on my domain? Can I use the certs from the main site https://www.foo.com to sign a x509 cert for the websocket server on an arbitrary domain?
I'm using Fleck as the websocket server
464
The probe supports Secure Sockets Layer (SSL) connections between the probe and WebSocket. SSL connections provide additional security when the probe retrieves alarms from the target systems. To enable SSL connections, obtain any required SSL certificates and Trusted Authority certificates for WebSocket.
To approve the certificate you may also have to enter the WebSockets URL in the browser (substitute wss with https) and approve it there first (since the warning from the WebSockets connection about the self-signed cert may not give you the opportunity to approve it).
WSS is secure, so it prevents things like man-in-the-middle attacks. A secure transport prevents many attacks from the start. In conclusion, WebSockets aren't your standard socket implementation. WebSockets are versatile, the established connection is always open, and messages can be sent and received continuously.
Although the problem seems to be solved already (based on the time the question had been asked), I'll add some links for people stumbling across here.
Decide, which certificate you want to use
Use foo.com's certificate
If you want to use the same certificate as used for your page, you have to add the IP address to the certificate (ask the issuer how you can achieve this as this primarily depends on their infrastructure.
Get new certificate
Just like you got your existing certificate, but with the IP address of your websocket machine.
Generate new self-signed certificate
If you want to generate a self-signed certificate (which issues a warning in all browsers and probably won't work without manually trusting it first), just use OpenSSL to generate a self-signed certificate.
Add certificate to Fleck
As described in Fleck's Readme, you have to use the wss:// protocol (with var server = new WebSocketServer("wss://[IPAddress]:[Port]");) and point Fleck to your certificate (x509 with both, public and private, Key) with server.Certificate = new X509Certificate2("path/to/cert.pfx");
This is very complicated (if not impossible) if the IP address changes frequently. Then I would suggest to use proxy listening to a (sub)domain and handling https/wss. The connection between proxy and websocket machine should then be secured physically (like connected directly) or via VPN.
I hope, I addressed your question(s) and my answer is clear eough. If not, feel free to comment what I can improve.
123
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
