diff options
author | Wiebe Cazemier <wiebe@ytec.nl> | 2015-10-05 11:27:36 +0200 |
---|---|---|
committer | Wiebe Cazemier <wiebe@ytec.nl> | 2015-10-05 11:27:36 +0200 |
commit | 3c04cf8c451931de91b388e43fb1b364e2d69394 (patch) | |
tree | 7b025fafcee7edd2d6d5f55bae81d95f8a16a8fd /README.md | |
parent | 62c3a591927a2fbc08d6ca094209717f682e0ca1 (diff) | |
download | websockify-3c04cf8c451931de91b388e43fb1b364e2d69394.tar.gz |
Clarified SSL section in README
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 24 |
1 files changed, 18 insertions, 6 deletions
@@ -47,17 +47,29 @@ which is why the negotiation is necessary. ### Encrypted WebSocket connections (wss://) -To encrypt the traffic using the WebSocket 'wss://' URI scheme you -need to generate a certificate for websockify to load. By default websockify -loads a certificate file name `self.pem` but the `--cert=CERT` option can -override the file name. You can generate a self-signed certificate using -openssl. When asked for the common name, use the hostname of the server where -the proxy will be running: +To encrypt the traffic using the WebSocket 'wss://' URI scheme you need to +generate a certificate and key for Websockify to load. By default, Websockify +loads a certificate file name `self.pem` but the `--cert=CERT` and `--key=KEY` +options can override the file name. You can generate a self-signed certificate +using openssl. When asked for the common name, use the hostname of the server +where the proxy will be running: ``` openssl req -new -x509 -days 365 -nodes -out self.pem -keyout self.pem ``` +For a self-signed certificate to work, you need to make your client/browser +understand it. You can do this by installing it as accepted certificate, or by +using that same certificate for a HTTPS connection to which you navigate first +and approve. Browsers generally don't give you the "trust certificate?" prompt +by opening a WSS socket with invalid certificate, hence you need to have it +acccept it by either of those two methods. + +If you have a commercial/valid SSL certificate with one ore more intermediate +certificates, concat them into one file, server certificate first, then the +intermediate(s) from the CA, etc. Point to this file with the `--cert` option +and then also to the key with `--key`. Finally, use `--ssl-only` as needed. + ### Websock Javascript library |