How do I use Secure Websockets (WSS)?

[DavidRM 72]

What I'm trying to do: Keep the web page for the app separate from the backend server for the app.

Right now, I have the web page serving the client, which opens a Websocket (ws) to the backend server.

I want to add HTTPS to the web page and I want to support secure Websockets to the backend.

The first part seems pretty straightforward. I'll just get an SSL certificate for the web page. But... How does that affect the second part? Can I still open a non-secure WS connection from the client? Or will the browser balk? Also, what do I need to do to the backend server to get it to handle secure WS connections?

Thanks!

-David

[lynkfs 614]

Found this on stackoverflow.

Quote

With browsers, there are 2 connections involved: 
a) the one to fetch the HTML and JS files via HTTP or HTTPS and 
b) the actual WebSocket connection, which only starts as a HTTP or HTTPS connection. 
Now you can have a) done via HTTP, while b) is done via HTTPS upgraded to WSS. But you can NOT have a) via HTTPS, and then b) via HTTP not being upgraded to WSS, but using plain WS. This is explicitly forbidden for browser WebSocket clients (and browsers enforce it). Non-browser WebSocket clients don't even have a) 

Are your client server and ws server separate ?

[warleyalex 436]

Could you help to comment that can Websockets work on mobile phones devices? I remember we may be able to use them with SMS applications with mORMot weksockets, built-in using nterface SOA callbacks . But we can seious limitation  over a 3G connection or security requirements (like explicit SLL certificates), connections dropping out on mobile phones. Desktops and laptops are a different story of course.

[DavidRM 72]

@lynkfs

It sounds like I should get the Websocket upgraded to SSL before messing with the web page. But since the backend doesn't have a domain name, I'm not sure how the certificate would work. This part is all quite new to me. (Hell, before last fall NodeJS/Websocket was totally new to me). I'm kinda figuring out as I go.

[DavidRM 72]

22 minutes ago, warleyalex said:

Could you help to comment that can Websockets work on mobile phones devices? I remember we may be able to use them with SMS applications with mORMot weksockets, built-in using nterface SOA callbacks . But we can seious limitation  over a 3G connection or security requirements (like explicit SLL certificates), connections dropping out on mobile phones. Desktops and laptops are a different story of course.

Some of my users have connected with mobile devices. I've done it with a Google Pixel 2, though not for long stretches of time. I haven't heard of any dropping connections like that. IPhones and  Android both.

[lynkfs 614]

You may be able to have SSL on IP rather than domain name, as long as it is a public IP address.

Quote

 

Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.

According to the CA Browser forum, there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields. This is due to legacy SSL implementations which are not aligned with RFC 5280, notably, Windows OS prior to Windows 10.

 

Stackoverflow again 

 

[DavidRM 72]

Alrighty then. I have a plan of attack now. THanks! -David