[Interest] wss:// on localhost

Mårten Nordheim marten.nordheim at qt.io
Mon Jul 27 15:45:31 CEST 2020


Hello Alexander,

I don't know (or recall) what your setup is like. The following answer assumes the website you refer to also runs on the local machine:

Somewhat going in the other direction I'd say wss/https is not necessary if your application actually only listens to localhost (127.0.0.1/[::1]).
It won't travel across the network at that point, and if the local machine is compromised encryption doesn't matter much.

If you are listening to other addresses as well though (to let other clients in the network connect as well) then you need to generate certificates
that includes the hostname or IP of the machine running the server since "localhost" is no longer enough/correct for that.

However if the website is remote and you run attempt to connect to a websocket on the local machine then it needs to be encrypted and Thiago's
suggestion will get you most of the way. You will also need to get the OS to trust the certificate for the browser to accept it as well. Usually with
untrusted certificates browsers will show a warning and let you ignore it, but that doesn't happen in most browsers when opening a websocket
connection in the background!

Mårten

________________________________________
From: Interest <interest-bounces at qt-project.org> on behalf of Alexander Carôt <alexander_carot at gmx.net>
Sent: Tuesday, July 21, 2020 19:32
To: Thiago Macieira
Cc: Paul Pfützenreuter; interest at qt-project.org
Subject: Re: [Interest] wss:// on localhost

Hej Thiago,

> Whether they work or not is irrelevant, since you shouldn't be shipping the
> same certificate to all users. You'd have to make it extremely long-lived
> (expiry 20 years from now). Generating a short-lived one (3 months) limits the
> damage if it somehow gets misused.


just to avoid misunderstandings: The goal is not sending existing certificates as part of the application download but rather generate the certificte automatically upon launching the app ?


> There are lots of examples on the Internet on how to do this with the openssl
> command. You'll have to find out how to do it with the API, if you don't want
> to ship the command.


If my assumption above is right then any kind of automized process would be fine to me - e.g. running the openssl command as part of a script, which is executed before launching the application or probably generate the certificate within the app code which would be even more convenient.

Is this somehow the right track or am I completely mistaken ? Sorry again - completely new in the domain of security ;-)

Best

Alex









> 1) create a private/public key pair (usually RSA, but doesn't need to be).
> Creating a private key usually involves random number, so please be sure that
> OpenSSL's random generator is properly seeded, if it can't be guaranteed to
> auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and
> requires no seeding[*], so you can use it to generate random data to seed
> OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096
> bits), so you may want to investigate an elliptic curve key instead, which
> would reduce the computation time.
>
> 2) create a certificate-signing request (CSR), which contains the certificate
> header fields. Notably, it has the CN (Common Name) field, which identifies
> which hostnames it applies for. You want "localhost"
>
> 3) sign the CSR. You'll sign with the key used in #1, causing this to be self-
> signed. The result is the certificate.
>
> There are lots of examples on the Internet on how to do this with the openssl
> command. You'll have to find out how to do it with the API, if you don't want
> to ship the command.
>
> For anyone wondering about turning off the SSL error on self-signed
> certificates: self-signing isn't inherently bad. The SSL error comes not
> because the certificate is self-signed, but because it's not signed by any
> certificate in the Certificate Authority list. The fact it's self-signed is
> simply extra information, as it's the most common cause of an authority not
> being found. But if you add the certificate itself to the CA list (in fact,
> make it the only entry!), then it'll match to a CA and you get no SSL error.
>
> [*] this is also why René is having problems with the RDRAND instruction in
> the other thread.
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel DPG Cloud Engineering
>
>
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
_______________________________________________
Interest mailing list
Interest at qt-project.org
https://lists.qt-project.org/listinfo/interest


More information about the Interest mailing list