使用 localhost 证书保护 websocket [英] Secure websocket with localhost certificate

问题描述

我们为我们的站点使用安全连接 (HTTPS)，并且我们需要客户端与在后台运行的程序(使用 Qt 制作)进行通信，该程序是用户之前安装的.我们打算使用 websockets 来做到这一点，使用公司签署的证书.CA 安装在 Windows 和 Mozilla 数据库中.

We use a secure connection (HTTPS) for our site, and we need the client to communicate with a program running in background (made with Qt), which the user installed previously. We intended to do that using websockets, using a certificate signed by the company. The CA is installed in Windows and Mozilla databases.

由于 websocket 运行在客户端，而 websocket 服务器也运行在客户端的机器上，因此连接是在 localhost 上执行的.另外，因为我们使用HTTPS，所以我们也必须使用WSS.我们选择了 2424 端口.

Since the websocket runs on the client side, and the websocket server also runs on the client's machine, the connection is perfromed on localhost. Also, because we use HTTPS, we must also use WSS. We chose port 2424.

问题是，Chrome、Firefox 和 IE 认为该连接不受信任，因为它位于 localhost 上(我认为).如果我在 https://127.0.0.1:2424 上打开一个新标签页，则会出现一条错误消息；浏览器说该证书仅在本地主机上有效，这可能意味着有人可能试图拦截发送到服务器的数据(Firefox 错误代码:ssl_error_bad_cert_domain).

The problem is, Chrome, Firefox and IE consider the connection to be untrusted because it is on localhost (I think). If I open a new tab on https://127.0.0.1:2424, an error message appears; the browsers say the certificate is only valid on localhost, and that this could mean that someone may be trying to intercept data sent to the server (Firefox error code: ssl_error_bad_cert_domain).

推荐答案

问题是证书颁发给 localhost，而不是 127.0.0.1.使用IP连接的websocket，证书没有覆盖，所以把socket地址从wss://127.0.0.1:2424改成wss://localhost:2424工作，至少对于 Chrome 和 IE，但在 Firefox 中仍然拒绝连接.

The problem was that the certificate was issued to localhost, not 127.0.0.1. The websocket connected using the IP, not covered by the certificate, so changing the socket address from wss://127.0.0.1:2424 to wss://localhost:2424 worked, at least for Chrome and IE, but the connection is still refused in Firefox.

这篇关于使用 localhost 证书保护 websocket的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！