Websockets: do I need to use a secure socket?

For communication between an HTMLViewer and the Xojo side of my Desktop app, I’ve put together a websocket server and that is working OK on macOS. However although the websocket is built using an SSLSocket as its super, security is turned off, as I figured I didn’t need it. On the HTMLViewer side I do this:

 [code]socket = new WebSocket ('ws://localhost:' + port);[/code]

Now under Win10 the app gets an OLE exception startup, with a javascript error “SecurityError” at this line. Should I be using a secure socket instead, thus:

 [code]socket = new WebSocket ('wss://localhost:' + port);[/code]

If so, does it then suffice to do this in the websocket’s constructor:

me.secure = true me.ConnectionType = SSLSocket.SSLv23

The HTMLViewer is using the IE11 renderer, which is forced into IE11 rendering mode.

Change connectiontype to tlsv12 sslv23 is propably not supprted anymore

Actually, while badly named, sslv23 will start at TLSv1.2 and work it’s wsy downward until it finds a protocol that the server accepts.

I tried what I was aking about in my OP and at connection time got a LastErrorCode in the socket server of hex 1417A0C1, which appears to mean “no shared cypher”, which according to someone on Github means:

“The ‘no shared cipher’ error means the client supports none of the encryption algorythms proposed by the server. As a result, the connection cannot be ssl encrypted.”

This was under macOS but it seems to fail in the same way under Win10 in a VM.

So how can I use a secure websocket in my app?

It would be handy to know what cyphers your server does support.

As I say in my OP, I’m (when testing) doing this in the websocket server (actually in the constructor for the websocket, whose super is SSLsocket) :

me.secure = true me.ConnectionType = SSLSocket.SSLv23

so the question really is, what cyphers does Xojo’s SSL socket offer, and why is none of them acceptable to this javascript:

socket = new WebSocket ('wss://localhost:' + port);

which is running in an HTMLViewer, trying to connect to the websocket server. I should perhaps add that all of this is running in one desktop application. I’m using a websocket server to bypass the data length limitations of communicating using document.title or window.status.

Ah! Then set ConnectionType to TLSv12. The server should be using the highest it thinks the client can connect with.

Sorry about that. I’d gotten the impression that those were client settings.

Um. That made no difference. One thing that has meant some progress, however, is certificates. This is a subject that I’m not hugely interested in, but I poked around and found https://letsencrypt.org/docs/certificates-for-localhost/ which shows a script for creating a key and a certificate file specifically for my localhost use-case. I ran this as-is and joined the resulting two files together as shown in the SSLSocket docs, to give a single file that I have wired into the socket’s CertificateFile property.

Running with that and of course using wss:// on the javascript side inside the HTMLViewer then gave, when the server tried to listen on the socket and the js side connects:

LastErrorCode: 102 - which means connection lost.

Re-reading the docs at letsencrypt.org, I realised I needed to have the cert be “trusted”, which I was able to do with keychain, and which then allowed the connection to complete - and that was with SSLv23, BTW. So now I can do secure websocket transfers to/from an HTMLViewer. This is a relief since now I can now try this under W10, if I can figure out how to do certs under Windows. Since everything I read seems to imply that non-secure websockets are or will be deprecated, I guess I need to move now.

Still some wrinkles, as the certificate expires in a month, and I have to figure out a simple way for users to do this for themselves, but this is progress.

Did you come up with a solution for secure Websockets on a localhost on a W10 desktop?

I think I need a remotely served webpage to communicate with a desktop app and I believe that as the website is SSL/TLS secure the browser needs to connect to an SSL WebSocket connection.

I guess some way of creating a cert authority and self signed cert automatically when an app is first run / installed would help in this scenario.

If you have any pointers based on your experience I’d be interested in hearing about it.

No I didn’t. I can’t remember why now, but in the end I just ignored the issue, as I couldn’t get it to work. The code for making a secure connection is still in the Websocket Constructor, but commented out.

Thanks for looking, I will continue to look into this as I think it’s going to be a big issue as browsers tighten their security policies.