Hello Thiago (and all), I am revisiting a two-year-old thread related to a secure websocket on localhost. In that regard you mentioned a self-signed certificate as the ideal solution and I'd like to get this done now :-)
Please find attached the Qt sslechoserver example including the client website that should connect to the server fine in case of a valid localhost.cert and localhost.key. Those I have created as suggested in: https://letsencrypt.org/docs/certificates-for-localhost/ However, so far none of my browsers accept the connection. Do you have a suggestion how to resolve this issue ? Thanks as usual in advance Alex -- http://www.carot.de Email : alexan...@carot.de Tel.: +49 (0)177 5719797 > Gesendet: Dienstag, 21. Juli 2020 um 18:07 Uhr > Von: "Thiago Macieira" <thiago.macie...@intel.com> > An: interest@qt-project.org > Betreff: Re: [Interest] wss:// on localhost > > On Tuesday, 21 July 2020 09:13:18 PDT Alexander Carôt wrote: > > Well, it's worth learning it and also from your answer I understand that the > > current files in the example server do *not* work. This is a good > > confirmation because indeed it doesn't :-) > > Whether they work or not is irrelevant, since you shouldn't be shipping the > same certificate to all users. You'd have to make it extremely long-lived > (expiry 20 years from now). Generating a short-lived one (3 months) limits > the > damage if it somehow gets misused. > > > So - I will try to keep track on this and let you know how it goes. > > > > In case anyone else can send me a pointer how to generate a versatile > > localhost-certificate (CERT and KEY File) which works on *any* machine > > please let me know. > > Certificate generation requires these steps: > > 1) create a private/public key pair (usually RSA, but doesn't need to be). > Creating a private key usually involves random number, so please be sure that > OpenSSL's random generator is properly seeded, if it can't be guaranteed to > auto-seed. Qt's QRandomGenerator::system() is of cryptographic quality and > requires no seeding[*], so you can use it to generate random data to seed > OpenSSL if necessary. RSA key pairs are usually big these days (2048 to 4096 > bits), so you may want to investigate an elliptic curve key instead, which > would reduce the computation time. > > 2) create a certificate-signing request (CSR), which contains the certificate > header fields. Notably, it has the CN (Common Name) field, which identifies > which hostnames it applies for. You want "localhost" > > 3) sign the CSR. You'll sign with the key used in #1, causing this to be self- > signed. The result is the certificate. > > There are lots of examples on the Internet on how to do this with the openssl > command. You'll have to find out how to do it with the API, if you don't want > to ship the command. > > For anyone wondering about turning off the SSL error on self-signed > certificates: self-signing isn't inherently bad. The SSL error comes not > because the certificate is self-signed, but because it's not signed by any > certificate in the Certificate Authority list. The fact it's self-signed is > simply extra information, as it's the most common cause of an authority not > being found. But if you add the certificate itself to the CA list (in fact, > make it the only entry!), then it'll match to a CA and you get no SSL error. > > [*] this is also why René is having problems with the RDRAND instruction in > the other thread. > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel DPG Cloud Engineering > > > > _______________________________________________ > Interest mailing list > Interest@qt-project.org > https://lists.qt-project.org/listinfo/interest >
<<attachment: sslechoserver.zip>>
_______________________________________________ Interest mailing list Interest@qt-project.org https://lists.qt-project.org/listinfo/interest
