英文:
Do I have to get a valid SSL certificate to make WebTranport server examples work?
问题
I tried several WebTransport server examples, but failed to establish a webtransport connection with Chrome 111.
Server examples:
Clients:
The error was either
net::ERR_CONNECTION_RESET.
WebTransportError: Opening handshake failed.
or
net::ERR_QUIC_PROTOCOL_ERROR.QUIC_TLS_CERTIFICATE_UNKNOWN (TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown).
WebTransportError: Opening handshake failed.
To make self-signed SSL certificate working, I tried using Chrome command line args
--user-data-dir=chromequicdata --origin-to-force-quic-on=localhost:4433 --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=
or passing server certificate hash as WebTransport constructor options
new WebTransport(url, {
serverCertificateHashes: [
{algortithm: 'sha-256', value: decodeBase64('Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=')}
]
});
Do I have to get a valid SSL certificate to make these server examples working?
英文:
I tried several WebTranport server examples, but failed to establish a webtransport connection with Chrome 111.
Server examples:
- https://github.com/wegylexy/webtransport/blob/main/ServerDemo/Program.cs
- https://github.com/dotnet/aspnetcore/blob/main/src/Servers/Kestrel/samples/WebTransportSampleApp/Program.cs
- https://github.com/GoogleChrome/samples/blob/gh-pages/webtransport/webtransport_server.py
Clients:
- https://googlechrome.github.io/samples/webtransport/client.html
- https://127.0.0.1/service-tests/webtransport-test/webtransport-test.html
The error was either
> net::ERR_CONNECTION_RESET.
> WebTransportError: Opening handshake failed.
or
> net::ERR_QUIC_PROTOCOL_ERROR.QUIC_TLS_CERTIFICATE_UNKNOWN (TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown).
> WebTransportError: Opening handshake failed.
To make self-signed SSL certificate working, I tried using Chrome command line args
--user-data-dir=chromequicdata --origin-to-force-quic-on=localhost:4433 --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=
or passing server certificate hash as WebTransport constructor options
new WebTransport(url, {
serverCertificateHashes: [
{algortithm: 'sha-256', value: decodeBase64('Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=')}
]
});
Do I have to get a valid SSL certificate to make these server examples working?
答案1
得分: 3
serverCertificateHashes 只对有效期小于 14 天的 EDCSA 证书起作用。这里是生成有效证书的方法。
英文:
It's not well documented, but serverCertificateHashes only works for EDCSA certificates valid for <14 days.
Here's how you generate a valid certificate.
答案2
得分: 0
以下是翻译的内容:
对我来说,您提供的第三个服务器示例中描述的步骤在使用 Chrome 114 运行客户端示例时有效。它们是:
以下是逐步说明如何执行此操作:
生成证书和私钥:
openssl req -newkey rsa:2048 -nodes -keyout certificate.key
-x509 -out certificate.pem -subj '/CN=Test Certificate'
-addext "subjectAltName = DNS:localhost";计算证书的指纹:
openssl x509 -pubkey -noout -in certificate.pem |
openssl rsa -pubin -outform der |
openssl dgst -sha256 -binary | base64结果应该是一个看起来像这样的经过 base64 编码的数据块:
"Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck="向 Chromium 传递一个标志,指示应该允许使用自签名证书的主机和端口。
例如,如果主机是 localhost,端口是 4433,则标志将是:
--origin-to-force-quic-on=localhost:4433向 Chromium 传递一个标志,指示应信任哪个证书。
对于上面的示例,该标志将是:
--ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=
我遇到的问题:
- 在 ignore-certificate-errors-spki-list 标志中未使用正确的指纹,或者在一个文件夹中有多个证书文件,或者在客户端一侧未使用正确的端口号。
- 在证书和密钥文件生成时使用了错误的标签。因为如果您想要在使用简单 IP 地址而不是主机名的情况下使用此方法,您应该使用:
- -addext "subjectAltName = IP.1:..."
- 使用较旧版本的 Chrome 也会出现问题,因此您应该尝试升级到 114。
这些都是非常通用的解决方案,但它们可能对您有帮助。
英文:
For me the steps that are described in the third server example's comments that you provided worked with Chrome 114 running the client example. They were:
> Here are step-by-step instructions on how to do that:
> 1. Generate a certificate and a private key:
> openssl req -newkey rsa:2048 -nodes -keyout certificate.key
> -x509 -out certificate.pem -subj '/CN=Test Certificate'
> -addext "subjectAltName = DNS:localhost"
> 2. Compute the fingerprint of the certificate:
> openssl x509 -pubkey -noout -in certificate.pem |
> openssl rsa -pubin -outform der |
> openssl dgst -sha256 -binary | base64
>
> The result should be a base64-encoded blob that looks like this:
> "Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck="
> 3. Pass a flag to Chromium indicating what host and port should be allowed
> to use the self-signed certificate. For instance, if the host is
> localhost, and the port is 4433, the flag would be:
> --origin-to-force-quic-on=localhost:4433
> 4. Pass a flag to Chromium indicating which certificate needs to be trusted.
> For the example above, that flag would be:
> --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=
Problems I ran into:
- not using the correct fingerprint at the ignore-certificate-errors-spki-list flag or the correct cert file if i had many in one folder or the correct port number on the client's side
- using the wrong tag at the cert and key file generation. Because if you want to use this method with a simple IP address, not a hostname, you should use:
- -addext "subjectAltName = IP.1:..."
- using an older version of Chrome was also a problem, so you should try to update to 114
These are really general solutions, but they might help you.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论