[Interest] wss:// on localhost

Alexander Carôt alexander_carot at gmx.net
Tue Jan 3 11:19:55 CET 2023

Hello Thiago (and all),

I am revisiting a two-year-old thread related to a secure websocket on localhost. In that regard you mentioned a self-signed certificate as the ideal solution and I'd like to get this done now :-)

Please find attached the Qt sslechoserver example including the client website that should connect to the server fine in case of a valid localhost.cert and localhost.key.

Those I have created as suggested in:


However, so far none of my browsers accept the connection.

Do you have a suggestion how to resolve this issue ?

Thanks as usual in advance


Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797

> Gesendet: Dienstag, 21. Juli 2020 um 18:07 Uhr
> Von: "Thiago Macieira" <thiago.macieira at intel.com>
> An: interest at qt-project.org
> Betreff: Re: [Interest] wss:// on localhost
> On Tuesday, 21 July 2020 09:13:18 PDT Alexander Carôt wrote:
> > Well, it's worth learning it and also from your answer I understand that the
> > current files in the example server do *not* work. This is a good
> > confirmation because indeed it doesn't :-)
> Whether they work or not is irrelevant, since you shouldn't be shipping the 
> same certificate to all users. You'd have to make it extremely long-lived 
> (expiry 20 years from now). Generating a short-lived one (3 months) limits the 
> damage if it somehow gets misused.
> > So - I will try to keep track on this and let you know how it goes.
> > 
> > In case anyone else can send me a pointer how to generate a versatile
> > localhost-certificate (CERT and KEY File) which works on *any* machine
> > please let me know.
> Certificate generation requires these steps:
> 1) create a private/public key pair (usually RSA, but doesn't need to be). 
> Creating a private key usually involves random number, so please be sure that 
> OpenSSL's random generator is properly seeded, if it can't be guaranteed to 
> auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and 
> requires no seeding[*], so you can use it to generate random data to seed 
> OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 
> bits), so you may want to investigate an elliptic curve key instead, which 
> would reduce the computation time.
> 2) create a certificate-signing request (CSR), which contains the certificate 
> header fields. Notably, it has the CN (Common Name) field, which identifies 
> which hostnames it applies for. You want "localhost"
> 3) sign the CSR. You'll sign with the key used in #1, causing this to be self-
> signed. The result is the certificate.
> There are lots of examples on the Internet on how to do this with the openssl 
> command. You'll have to find out how to do it with the API, if you don't want 
> to ship the command.
> For anyone wondering about turning off the SSL error on self-signed 
> certificates: self-signing isn't inherently bad. The SSL error comes not 
> because the certificate is self-signed, but because it's not signed by any 
> certificate in the Certificate Authority list. The fact it's self-signed is 
> simply extra information, as it's the most common cause of an authority not 
> being found. But if you add the certificate itself to the CA list (in fact, 
> make it the only entry!), then it'll match to a CA and you get no SSL error.
> [*] this is also why René is having problems with the RDRAND instruction in 
> the other thread.
> -- 
> Thiago Macieira - thiago.macieira (AT) intel.com
>   Software Architect - Intel DPG Cloud Engineering
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sslechoserver.zip
Type: application/zip
Size: 40708 bytes
Desc: not available
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20230103/d96445ee/attachment.zip>

More information about the Interest mailing list