[Interest] wss:// on localhost

Thiago Macieira thiago.macieira at intel.com
Tue Jul 21 19:07:40 CEST 2020 

On Tuesday, 21 July 2020 09:13:18 PDT Alexander Carôt wrote:
> Well, it's worth learning it and also from your answer I understand that the
> current files in the example server do *not* work. This is a good
> confirmation because indeed it doesn't :-)

Whether they work or not is irrelevant, since you shouldn't be shipping the 
same certificate to all users. You'd have to make it extremely long-lived 
(expiry 20 years from now). Generating a short-lived one (3 months) limits the 
damage if it somehow gets misused.

> So - I will try to keep track on this and let you know how it goes.
> 
> In case anyone else can send me a pointer how to generate a versatile
> localhost-certificate (CERT and KEY File) which works on *any* machine
> please let me know.

Certificate generation requires these steps:

1) create a private/public key pair (usually RSA, but doesn't need to be). 
Creating a private key usually involves random number, so please be sure that 
OpenSSL's random generator is properly seeded, if it can't be guaranteed to 
auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and 
requires no seeding[*], so you can use it to generate random data to seed 
OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 
bits), so you may want to investigate an elliptic curve key instead, which 
would reduce the computation time.

2) create a certificate-signing request (CSR), which contains the certificate 
header fields. Notably, it has the CN (Common Name) field, which identifies 
which hostnames it applies for. You want "localhost"

3) sign the CSR. You'll sign with the key used in #1, causing this to be self-
signed. The result is the certificate.

There are lots of examples on the Internet on how to do this with the openssl 
command. You'll have to find out how to do it with the API, if you don't want 
to ship the command.

For anyone wondering about turning off the SSL error on self-signed 
certificates: self-signing isn't inherently bad. The SSL error comes not 
because the certificate is self-signed, but because it's not signed by any 
certificate in the Certificate Authority list. The fact it's self-signed is 
simply extra information, as it's the most common cause of an authority not 
being found. But if you add the certificate itself to the CA list (in fact, 
make it the only entry!), then it'll match to a CA and you get no SSL error.

[*] this is also why René is having problems with the RDRAND instruction in 
the other thread.
-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel DPG Cloud Engineering

More information about the Interest mailing list