[Interest] wss:// on localhost

Alexander Carôt alexander_carot at gmx.net
Wed Jul 29 22:37:10 CEST 2020


> Kinda sounds like there should be a QSslCertificate::create() method?

That would be awesome indeed. 

BTW: I am not the only with that problem - just found this:

https://stackoverflow.com/questions/45572440/how-to-access-an-insecure-websocket-from-a-secure-website

So - if Qt could make this process more convenient that would be great.

Best

Alex


--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797


> Gesendet: Mittwoch, 29. Juli 2020 um 16:46 Uhr
> Von: "Jason H" <jhihn at gmx.com>
> An: "Alexander Carôt" <alexander_carot at gmx.net>
> Cc: "Alexander Carôt" <alexander_carot at gmx.net>, "Thiago Macieira" <thiago.macieira at intel.com>, "Paul Pfützenreuter" <Paul.Pfuetzenreuter at gmx.de>, "interest at qt-project.org" <interest at qt-project.org>
> Betreff: Re: [Interest] wss:// on localhost
>
> Kinda sounds like there should be a QSslCertificate::create() method?
> 
> 
> > Sent: Tuesday, July 28, 2020 at 4:18 AM
> > From: "Alexander Carôt" <alexander_carot at gmx.net>
> > To: "Alexander Carôt" <alexander_carot at gmx.net>
> > Cc: "Thiago Macieira" <thiago.macieira at intel.com>, "Paul Pfützenreuter" <Paul.Pfuetzenreuter at gmx.de>, "interest at qt-project.org" <interest at qt-project.org>
> > Subject: Re: [Interest] wss:// on localhost
> >
> > > but for now the localhost wss failed again. If you have another hint please let me know - I won't give up ;-)
> > 
> > Eventually I succeeded with this tool:
> > 
> > https://github.com/FiloSottile/mkcert
> > 
> > After certificate generation and installation I was able connecting to localhost - very good !
> > 
> > Now I need to figure how to automize this process on any client's machine.
> > 
> > Further inspiration appreciated - thanks for your help !
> > 
> > Best
> > 
> > Alex
> > 
> > 
> > --
> > http://www.carot.de
> > Email : Alexander at Carot.de
> > Tel.: +49 (0)177 5719797
> > 
> > 
> > > Gesendet: Dienstag, 28. Juli 2020 um 08:05 Uhr
> > > Von: "Alexander Carôt" <alexander_carot at gmx.net>
> > > An: "Mårten Nordheim" <marten.nordheim at qt.io>
> > > Cc: "Thiago Macieira" <thiago.macieira at intel.com>, "Paul Pfützenreuter" <Paul.Pfuetzenreuter at gmx.de>, "interest at qt-project.org" <interest at qt-project.org>
> > > Betreff: Re: [Interest] wss:// on localhost
> > >
> > > Hallo Marten,
> > > 
> > > thanks for your additionl reply !
> > > 
> > > There are two reasons why I have to use a secure websocket:
> > > 
> > > 1.) In some cases our website connects to our app not on localhost but some other place on the LAN.
> > > 
> > > 2.) Our site is part of a CMS-based project which per default runs with SSL. Changing the specific sites to no-SSL (http) and the corresponding ws leades to mixed content often ignored by the browser.
> > > 
> > > In fact in our current workaroud we redirect to http and run a non-secure ws but this fails for some browsers and especially in context with 1) it fails completely - so I believe there is no other choice than using SSL-Websockets and I am happy that theoretically there is a way to do achieve this is a user-friendly way. However, I am still struggeling. So far this tutorial looked promising:
> > > 
> > > https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/
> > > 
> > > but for now the localhost wss failed again. If you have another hint please let me know - I won't give up ;-)
> > > 
> > > Best
> > > 
> > > Alex
> > > 
> > > 
> > > --
> > > http://www.carot.de
> > > Email : Alexander at Carot.de
> > > Tel.: +49 (0)177 5719797
> > > 
> > > 
> > > > Gesendet: Montag, 27. Juli 2020 um 15:45 Uhr
> > > > Von: "Mårten Nordheim" <marten.nordheim at qt.io>
> > > > An: "Alexander Carôt" <alexander_carot at gmx.net>, "Thiago Macieira" <thiago.macieira at intel.com>
> > > > Cc: "Paul Pfützenreuter" <Paul.Pfuetzenreuter at gmx.de>, "interest at qt-project.org" <interest at qt-project.org>
> > > > Betreff: Re: [Interest] wss:// on localhost
> > > >
> > > > Hello Alexander,
> > > > 
> > > > I don't know (or recall) what your setup is like. The following answer assumes the website you refer to also runs on the local machine:
> > > > 
> > > > Somewhat going in the other direction I'd say wss/https is not necessary if your application actually only listens to localhost (127.0.0.1/[::1]).
> > > > It won't travel across the network at that point, and if the local machine is compromised encryption doesn't matter much.
> > > > 
> > > > If you are listening to other addresses as well though (to let other clients in the network connect as well) then you need to generate certificates
> > > > that includes the hostname or IP of the machine running the server since "localhost" is no longer enough/correct for that.
> > > > 
> > > > However if the website is remote and you run attempt to connect to a websocket on the local machine then it needs to be encrypted and Thiago's
> > > > suggestion will get you most of the way. You will also need to get the OS to trust the certificate for the browser to accept it as well. Usually with
> > > > untrusted certificates browsers will show a warning and let you ignore it, but that doesn't happen in most browsers when opening a websocket
> > > > connection in the background!
> > > > 
> > > > Mårten
> > > > 
> > > > ________________________________________
> > > > From: Interest <interest-bounces at qt-project.org> on behalf of Alexander Carôt <alexander_carot at gmx.net>
> > > > Sent: Tuesday, July 21, 2020 19:32
> > > > To: Thiago Macieira
> > > > Cc: Paul Pfützenreuter; interest at qt-project.org
> > > > Subject: Re: [Interest] wss:// on localhost
> > > > 
> > > > Hej Thiago,
> > > > 
> > > > > Whether they work or not is irrelevant, since you shouldn't be shipping the
> > > > > same certificate to all users. You'd have to make it extremely long-lived
> > > > > (expiry 20 years from now). Generating a short-lived one (3 months) limits the
> > > > > damage if it somehow gets misused.
> > > > 
> > > > 
> > > > just to avoid misunderstandings: The goal is not sending existing certificates as part of the application download but rather generate the certificte automatically upon launching the app ?
> > > > 
> > > > 
> > > > > There are lots of examples on the Internet on how to do this with the openssl
> > > > > command. You'll have to find out how to do it with the API, if you don't want
> > > > > to ship the command.
> > > > 
> > > > 
> > > > If my assumption above is right then any kind of automized process would be fine to me - e.g. running the openssl command as part of a script, which is executed before launching the application or probably generate the certificate within the app code which would be even more convenient.
> > > > 
> > > > Is this somehow the right track or am I completely mistaken ? Sorry again - completely new in the domain of security ;-)
> > > > 
> > > > Best
> > > > 
> > > > Alex
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > > 1) create a private/public key pair (usually RSA, but doesn't need to be).
> > > > > Creating a private key usually involves random number, so please be sure that
> > > > > OpenSSL's random generator is properly seeded, if it can't be guaranteed to
> > > > > auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and
> > > > > requires no seeding[*], so you can use it to generate random data to seed
> > > > > OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096
> > > > > bits), so you may want to investigate an elliptic curve key instead, which
> > > > > would reduce the computation time.
> > > > >
> > > > > 2) create a certificate-signing request (CSR), which contains the certificate
> > > > > header fields. Notably, it has the CN (Common Name) field, which identifies
> > > > > which hostnames it applies for. You want "localhost"
> > > > >
> > > > > 3) sign the CSR. You'll sign with the key used in #1, causing this to be self-
> > > > > signed. The result is the certificate.
> > > > >
> > > > > There are lots of examples on the Internet on how to do this with the openssl
> > > > > command. You'll have to find out how to do it with the API, if you don't want
> > > > > to ship the command.
> > > > >
> > > > > For anyone wondering about turning off the SSL error on self-signed
> > > > > certificates: self-signing isn't inherently bad. The SSL error comes not
> > > > > because the certificate is self-signed, but because it's not signed by any
> > > > > certificate in the Certificate Authority list. The fact it's self-signed is
> > > > > simply extra information, as it's the most common cause of an authority not
> > > > > being found. But if you add the certificate itself to the CA list (in fact,
> > > > > make it the only entry!), then it'll match to a CA and you get no SSL error.
> > > > >
> > > > > [*] this is also why René is having problems with the RDRAND instruction in
> > > > > the other thread.
> > > > > --
> > > > > Thiago Macieira - thiago.macieira (AT) intel.com
> > > > >   Software Architect - Intel DPG Cloud Engineering
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Interest mailing list
> > > > > Interest at qt-project.org
> > > > > https://lists.qt-project.org/listinfo/interest
> > > > >
> > > > _______________________________________________
> > > > Interest mailing list
> > > > Interest at qt-project.org
> > > > https://lists.qt-project.org/listinfo/interest
> > > >
> > > _______________________________________________
> > > Interest mailing list
> > > Interest at qt-project.org
> > > https://lists.qt-project.org/listinfo/interest
> > >
> > _______________________________________________
> > Interest mailing list
> > Interest at qt-project.org
> > https://lists.qt-project.org/listinfo/interest
> >
>


More information about the Interest mailing list