-
Notifications
You must be signed in to change notification settings - Fork 101
Support for secure websockets #15
Comments
@sjennison per e466811, 165cdb9 Windows support should be finished. Can you take a look at implementing the Java portion? |
@robertcasto is @sjennison planning on tackling this still? |
Yep - I'll be working on it today |
Great! 👍 |
@sjennison FYI, updated the GitHub checklist to illustrate task completion of Ubuntu cert generation and installation. To try out the windows self-cert portion, you'll have to:
As always, please email me if you need any assistance with this. -Tres |
@tresf - is there a good way to reference that properties file from the Java code? Not sure where it would end up from the code in the .js file :) |
It should be in the install directory. For the installed-version (not running through IntelliJ), this should be the same directory as For when running through IntelliJ, the properties won't necessarily be available, but we can discuss that later. |
@robertcasto @bberenz, FYI, Firefox didn't like the Not sure if jetty needed this flag too, so FYI. |
So it's importing successfully into Firefox? On Wed, Apr 22, 2015, 23:08 Tres Finocchiaro notifications@github.com
|
@sjennison, only manually at the moment. The NSIS stuff is still giving me a hard time per #18. I'm tempted to look into a JNI approach because Firefox is a very difficult beast as it simply won't read from the OS certs by design. But back on topic... yes, it will import into Firefox now via manual method. That CA flag passed into Java's keystore generator was the ticket. |
@bberenz This is defined here: https://github.com/qzind/qz-print/blob/1.9/qz-print/ant/self-sign.properties#L19 We should be able to just change this from Want me to do that now, or are you comfortable trying it? |
@bberenz @sjennison do we have a way of detecting an invalid cert in JavaScript for the wss:// stuff? If so, perhaps we can provide manual instructions to the user to import the cert into Firefox until we develop an automated way. |
@sjennison @bberenz what was the trick to get the cert working with Chrome? I finally have IE working, but Chrome won't connect. I've changed CERT
|
So it turns out the certificate wasn't complex enough. I bumped it to RSA 2048 via 5dd5011 and it seems to be in much better shape now. Chrome is working now, but Firefox is not unless I hand-allow the cert exception via The Firefox error is: Edit: Somewhat related, here's a decent conversation about it: https://bugzilla.mozilla.org/show_bug.cgi?id=1034124 From what I'm reading, Firefox is smart enough to know that the HTTPS is running from a CA generated cert, which is taboo (but overridable). @sjennison does this mean we'll have to issue an End-Entity certificate from the CA to circumvent this Firefox behavior? |
So I've been looking for a valid way to generate a certificate chain for a web server, and came across this, specifically the section Generating Certificates for a Typical SSL Server http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html A couple of questions... Do we need all three components:
Or can we get away with two:
I've begun adapting the tutorial to a batch file to wrap my head around everything... Its not working yet, so I'm calling it a night, but this is what I have so far: @echo off
del ca.jks root.jks server.jks
set keytool="C:\Program Files (x86)\Java\jre1.8.0_31\bin\keytool.exe"
set dname="CN=MyCompany, OU=MyCompany, O=MyCompany, L=City, S=State, C=US"
set dnameserver="CN=localhost, OU=MyCompany, O=MyCompany, L=City, S=State, C=US"
%keytool% -genkeypair -noprompt -keystore root.jks -alias root -keyalg RSA -keysize 2048 -dname %dname% -storepass 123456 -keypass 123456 -ext bc:c
%keytool% -genkeypair -noprompt -keystore ca.jks -alias ca -keyalg RSA -keysize 2048 -dname %dname% -storepass 123456 -keypass 123456 -ext bc:c
%keytool% -genkeypair -noprompt -keystore server.jks -alias server -keyalg RSA -keysize 2048 -dname %dnameserver% -storepass 123456 -keypass 123456
%keytool% -keystore root.jks -alias root -exportcert -rfc -storepass 123456 -keypass 123456 > root.pem
%keytool% -storepass 123456 -keystore ca.jks -certreq -alias ca | %keytool% -storepass 123456 -keystore root.jks -gencert -alias root -ext BC=0 -rfc > ca.pem
%keytool% -keystore ca.jks -importcert -alias ca -file ca.pem -storepass 123456
%keytool% -storepass 123456 -keystore server.jks -certreq -alias server | %keytool% -storepass 123456 -keystore ca.jks -gencert -alias ca -ext ku:c=dig,kE -rfc > server.pem
copy /b root.pem+ca.pem+server.pem | %keytool% -keystore server.jks -importcert -alias server |
So I'm still struggling to get past the I believe this is possible if we can chain a separate I've read quite a few tutorials and they all seem to be under the assumption that the CSR is processed by a 3rd party CA using something like OpenSSL, but we don't necessarily have OpenSSL at install time so I'd like to rule out Java's |
Initial Firefox support on Windows has been added via 8d61a68 |
Awesome! Anything you need me to do on this now? On Thu, Apr 30, 2015, 00:04 Tres Finocchiaro notifications@github.com
|
A better understanding of the feasibility of HTTP fallback support would be a plus although that may be a @bberenz task. |
Also, were you able to reproduce the installer problem you had reported? |
Fallback support added via 9ebe945. |
@bberenz, this is great, thanks. One thing we haven't added yet is the ability to start the server on ws://. Ideally, we'd have at least one and up to two instances listening. |
Apple is working per 84d8b53 We still have a few items to work out in terms of how to Uninstall properly, etc, but the screenshot below has Firefox and Chrome running using Secure Websockets. |
A tester reported an issue launching the software on Apple per #22 which is hopefully fixed now. The next items are installer related:
|
Remaining items (Linux installer cleanup, will start new thread):
|
Firefox by default blocks non-secure websockets connections from HTTPS locations. This is meant to be a placeholder for secure websockets (
wss://
) support.Current design includes: (please check off items as they are completed):
The text was updated successfully, but these errors were encountered: