WebSocket TLS 证书设置乐趣

Question

I'm trying to setup a WebSocket over TLS.

For that end I'm going by the directions on page 81 in the following book.

https://www.amazon.com/WebSocket-Client-Server-Communications-Andrew-Lombardi/dp/1449369278/ref=sr_1_1?keywords=websocket&qid=1581782142&sr=8-1

I setup the server code as they say in the book. All good there, but there is some problem with the certificates.

According to the book I am supposed to take four steps in setting up the certificates

1. Generate a 2048 bit key.
openssl genrsa -des -passout pass:x -out server.pass.key 2048

2. Generate a passphrase free key.
openssl rsa -passin pass:x -in server.pass.key -out server.key

3. Generate csr from the private key.
openssl req -new -key server.key -out server.csr

4. Generate the certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

When I run step 1 I get error

"UI_set_result:result too small .." 

For which the fix is here .

He basically says to run the following snipped instead of step 1.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key

It looks like he is skipping the .pass part. For which step 2 is taken. So I am unsure if I should take that step or not, after the fix.

I run those four steps, then in server.js i have:

var connection={
    ssl:true,
    port:port_number_here,
    ssl_key:'server.key',
    ssl_cert:'server.crt'
    }

//..
var processRequest=function(req,res){
    res.writeHead(200);
    res.end("Hi!\n");
    //console.log('connecting');
    };

var app=null;
app = httpsServ.createServer({
    key: fs.readFileSync(connection.ssl_key),
    cert:fs.readFileSync(connection.ssl_cert)
    },processRequest).listen(connection.port);


var wss = new WebSocketServer({server:app});

var clients=[];
var client_number=0;
wss.on('connection', function(cclient_socket){
    console.log('Estabished Connection with client.');
    }

Then I start the server with:

node server.js

But when I run the client code via Firefox I get error:

Firefox can’t establish a connection to the server at wss://somedomain:someportnumber/.

And in Chromium I get error:

(index):9 WebSocket connection to 'wss://thedomain.org:theportnumber/'    
failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

I am unsure how to proceed from here. I would guess I somehow didn't make the certificates correctly but the error doesn't give me much to work with.

Any help would be appreciated.

ps I tried implementing the following directions, to no avail.

https://stackoverflow.com/a/41366949/322537

Also, I have a suspicion the Chromium error "ERR_CERT_AUTHORITY_INVALID" is a key thing here. I googled it and found https://www.guildcafe.com/fix-net-err_cert_authority_invalid-error.html it has to do with the certificate authority. which is just me. I'm still stranded though for I don't know how to fix it.

Answer 1

It looks to me like you use a self-signed server certificate. You have to tell your client -- your Chromium instance--to trust that key before it will use a websocket to connect to the server you are developing. You can sweet-talk your browser into accepting an incorrectly signed https webpage connection, but not a websocket connection.

In Chromium's case you actually need to tell your machine's OS (not the server machine, but rather the machine where you run Chromium). Please look up those instructions for your OS. You're looking up "trust self-signed certificate in Chrome on Ubuntu" or ".. on MacOS" or "...on Windows" or whatever.

Firefox has its own UI for that purpose. You can read about that too. It might be a quicker route to success for you.

Then there's Let's Encrypt, with which you can make a trusted certificate for free. For a tutorial, check this out. https://itnext.io/node-express-letsencrypt-generate-a-free-ssl-certificate-and-run-an-https-server-in-5-minutes-a730fbe528ca

Are we having fun yet? Are we? Are we?

Answer 2

解决方案不是像书中描述的那样创建证书，而是简单地引用已经为给定网站创建的 ssl 证书。