8

I have a website https://www.foo.com and on this site I connect to other machines with a websocket (some random ip address of a machine that has our software running on it). i.e. I connect to a websocket running on ws://123.45.67:80

The problem is that this site is served over HTTPS and the websocket server that I want to connect to then also requires a secure connection (WSS) and won't work with a regular websocket (WS).

The question is: how do I sign the certificate that will reside on each websocket server that is not on my domain? Can I use the certs from the main site https://www.foo.com to sign a x509 cert for the websocket server on an arbitrary domain?

I'm using Fleck as the websocket server

Dillon
  • 602
  • 1
  • 7
  • 15

1 Answers1

8

Although the problem seems to be solved already (based on the time the question had been asked), I'll add some links for people stumbling across here.

  1. Decide, which certificate you want to use

    • Use foo.com's certificate
      If you want to use the same certificate as used for your page, you have to add the IP address to the certificate (ask the issuer how you can achieve this as this primarily depends on their infrastructure.

    • Get new certificate
      Just like you got your existing certificate, but with the IP address of your websocket machine.

    • Generate new self-signed certificate
      If you want to generate a self-signed certificate (which issues a warning in all browsers and probably won't work without manually trusting it first), just use OpenSSL to generate a self-signed certificate.

  2. Add certificate to Fleck As described in Fleck's Readme, you have to use the wss:// protocol (with var server = new WebSocketServer("wss://[IPAddress]:[Port]");) and point Fleck to your certificate (x509 with both, public and private, Key) with server.Certificate = new X509Certificate2("path/to/cert.pfx");

This is very complicated (if not impossible) if the IP address changes frequently. Then I would suggest to use proxy listening to a (sub)domain and handling https/wss. The connection between proxy and websocket machine should then be secured physically (like connected directly) or via VPN.

I hope, I addressed your question(s) and my answer is clear eough. If not, feel free to comment what I can improve.

biolauri
  • 535
  • 7
  • 18