需要获取有效的SSL证书才能使WebTransport服务器示例工作吗?

huangapple go评论123阅读模式
英文:

Do I have to get a valid SSL certificate to make WebTranport server examples work?

问题

I tried several WebTransport server examples, but failed to establish a webtransport connection with Chrome 111.

Server examples:

Clients:

The error was either

net::ERR_CONNECTION_RESET.
WebTransportError: Opening handshake failed.

or

net::ERR_QUIC_PROTOCOL_ERROR.QUIC_TLS_CERTIFICATE_UNKNOWN (TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown).
WebTransportError: Opening handshake failed.

To make self-signed SSL certificate working, I tried using Chrome command line args

--user-data-dir=chromequicdata --origin-to-force-quic-on=localhost:4433 --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=

or passing server certificate hash as WebTransport constructor options

  new WebTransport(url, {
    serverCertificateHashes: [
      {algortithm: 'sha-256', value: decodeBase64('Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=')}
    ]
  });

Do I have to get a valid SSL certificate to make these server examples working?

英文:

I tried several WebTranport server examples, but failed to establish a webtransport connection with Chrome 111.

Server examples:

Clients:

The error was either

> net::ERR_CONNECTION_RESET.
> WebTransportError: Opening handshake failed.

or

> net::ERR_QUIC_PROTOCOL_ERROR.QUIC_TLS_CERTIFICATE_UNKNOWN (TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown).
> WebTransportError: Opening handshake failed.

To make self-signed SSL certificate working, I tried using Chrome command line args

--user-data-dir=chromequicdata --origin-to-force-quic-on=localhost:4433 --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=

or passing server certificate hash as WebTransport constructor options

  new WebTransport(url, {
    serverCertificateHashes: [
      {algortithm: 'sha-256', value: decodeBase64('Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=')}
    ]
  });

Do I have to get a valid SSL certificate to make these server examples working?

答案1

得分: 3

serverCertificateHashes 只对有效期小于 14 天的 EDCSA 证书起作用。这里是生成有效证书的方法

英文:

It's not well documented, but serverCertificateHashes only works for EDCSA certificates valid for <14 days.

Here's how you generate a valid certificate.

答案2

得分: 0

以下是翻译的内容:

对我来说,您提供的第三个服务器示例中描述的步骤在使用 Chrome 114 运行客户端示例时有效。它们是:

以下是逐步说明如何执行此操作:

  1. 生成证书和私钥:
    openssl req -newkey rsa:2048 -nodes -keyout certificate.key
    -x509 -out certificate.pem -subj '/CN=Test Certificate'
    -addext "subjectAltName = DNS:localhost";

  2. 计算证书的指纹:
    openssl x509 -pubkey -noout -in certificate.pem |
    openssl rsa -pubin -outform der |
    openssl dgst -sha256 -binary | base64

    结果应该是一个看起来像这样的经过 base64 编码的数据块:
    "Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck="

  3. 向 Chromium 传递一个标志,指示应该允许使用自签名证书的主机和端口。
    例如,如果主机是 localhost,端口是 4433,则标志将是:
    --origin-to-force-quic-on=localhost:4433

  4. 向 Chromium 传递一个标志,指示应信任哪个证书。
    对于上面的示例,该标志将是:
    --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=

我遇到的问题:

  • 在 ignore-certificate-errors-spki-list 标志中未使用正确的指纹,或者在一个文件夹中有多个证书文件,或者在客户端一侧未使用正确的端口号。
  • 在证书和密钥文件生成时使用了错误的标签。因为如果您想要在使用简单 IP 地址而不是主机名的情况下使用此方法,您应该使用:
    • -addext "subjectAltName = IP.1:..."
  • 使用较旧版本的 Chrome 也会出现问题,因此您应该尝试升级到 114。

这些都是非常通用的解决方案,但它们可能对您有帮助。

英文:

For me the steps that are described in the third server example's comments that you provided worked with Chrome 114 running the client example. They were:

> Here are step-by-step instructions on how to do that:
> 1. Generate a certificate and a private key:
> openssl req -newkey rsa:2048 -nodes -keyout certificate.key
> -x509 -out certificate.pem -subj '/CN=Test Certificate'
> -addext "subjectAltName = DNS:localhost"
> 2. Compute the fingerprint of the certificate:
> openssl x509 -pubkey -noout -in certificate.pem |
> openssl rsa -pubin -outform der |
> openssl dgst -sha256 -binary | base64
>
> The result should be a base64-encoded blob that looks like this:
> "Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck="
> 3. Pass a flag to Chromium indicating what host and port should be allowed
> to use the self-signed certificate. For instance, if the host is
> localhost, and the port is 4433, the flag would be:
> --origin-to-force-quic-on=localhost:4433
> 4. Pass a flag to Chromium indicating which certificate needs to be trusted.
> For the example above, that flag would be:
> --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=

Problems I ran into:

  • not using the correct fingerprint at the ignore-certificate-errors-spki-list flag or the correct cert file if i had many in one folder or the correct port number on the client's side
  • using the wrong tag at the cert and key file generation. Because if you want to use this method with a simple IP address, not a hostname, you should use:
    • -addext "subjectAltName = IP.1:..."
  • using an older version of Chrome was also a problem, so you should try to update to 114

These are really general solutions, but they might help you.

huangapple
  • 本文由 发表于 2023年4月11日 01:29:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/75979276.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定