Enabling WebSocket Secure (TLS)

Val edited this page Jul 1, 2016 · 9 revisions

The WSS support is provided through a custom per connection extension named WebSocketSecureConnectionExtension.

It requires a certificate object, that will be used to secure the connection:

server.ConnectionExtensions.RegisterExtension(new WebSocketSecureConnectionExtension(certificate)); 

When using TLS, the clients will need to use the wss:// schema to connect.

How to obtain that certificate object is up to the caller, but this would be a little example:

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates[1];
store.Close();

If you find yourself in trouble trying to use your SSL certificate, please give a try to these approaches.

When using TLS, is recommended to increment the number of available parallel negotiations through the WebSocketListener options since TLS negotiation takes a little bit longer:

var options = new WebSocketListenerOptions() 
{ 
   NegotiationQueueCapacity = 128, 
   ParallelNegotiations = 16 
}

WebSocketListener server = new WebSocketListener(endpoint, options);
server.Standards.RegisterStandard(new vtortola.WebSockets.Rfc6455.WebSocketFactoryRfc6455(server));
server.ConnectionExtensions.RegisterExtension(new WebSocketSecureConnectionExtension(certificate));

Tune the option values to find the config that works out better for you.

WebSocketSecureConnectionExtension also provides a constructor overload that allows to pass a RemoteCertificateValidationCallback to validate client's certificates.

Notes

  • Remember to change the port number to a one different to the one you used for not secure connections. Some browsers get confused if suddenly a port becomes secure or viceversa.
  • Remember to use the hostname indicated in the certificate to connect and not the IP.
  • If you are using a self-signed certificate, use it for HTTPS so you can see the dialog for accepting that certificate. When accessing via WSS:// there is not certificate acceptance dialog, it will just fail to connect.