Friday 6 February 2015

WebSockets over Node.js: from Plain to Secure

On a previous post I shared my experiments with node.js as a WebSocket server. This is quite useful for people working on WebRTC prototypes and familiar with node.js.

Some of the readers may have noticed that I was using plain WebSockets ('ws://' URLs). It's recommended to use Secure WebSockets instead ('wss://' URLs), so I thought of playing with the 'ws' node.js module and "add TLS".

On github there's an example in this direction (see below), but I must admit I didn't understand some implications at first.

I thought the instantiation of an HTTPS server was just coincidental and meant to provide the web pages and scripts in the example, and that the configuration of 'ws' with 'ssl: true' and certificates was independent.

It turns out it's not. The best description of my understanding is that you need an HTTPS server to "decorate" the WebSocket module. The HTTPS server will take care of connection instantiation and encryption, while the WebSocket module, "listening" on the same port, will take over when the Upgrade request [1] from the client is received.

Here's a snippet of the solution I've adopted, based on the example above:


You can see that the version for plain WebSocket (commented out) had the configuration object passed to the WebSocket constructor (well, in fact, you just need to pass '{ port: 8080 }'), while the secure solution passes the entire HTTPS server object to the WebSocket constructor.

Something similar (using express) has been described in this post.

Note, if you're using self-signed certificates, that you should first access the site and accept the security exception, or the client won't be happy.

An useful tool to debug WebSockets comes as Chrome extension: Simple WebSocket Client.

[1] The Upgrade request looks like this (from RFC 6455);

GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13

3 comments:

  1. Thank you so much. I will soon need this infos!

    Grazie mille. Presto mi servirà per la mia applicazione!
    Ciao

    ReplyDelete
  2. Nice article! But I am facing a different issue now. I have a system, in which a web app communicates to the server via socket.io, and at the same time, a real device (gateway) connects to the server via websocket. In the scenario of no SSL, I just assign two different ports to the socket.io connection and ws connection respectively, and the system works well. But now I need to use SSL. As mentioned in your article, "while the secure solution passes the entire HTTPS server object to the WebSocket constructor", I tried the following code, but did not work.

    var wss = new WebSocketServer({
    server: server,
    port: config.ws_port
    });

    So my question is: how can I assign a different port (say 5000) for ws connection on top of the HTTPS server that is using another port (say 4000) for web app communication?

    Thanks a lot.

    ReplyDelete
  3. You literally just saved my sanity with this one line above:

    "Note, if you're using self-signed certificates, that you should first access the site and accept the security exception, or the client won't be happy."

    I just spent 2 days trying to figure out why I can't connect to wss://, but ws:// worked perfectly. I tried so many combos and dug into module source code. Turns out that even after importing certs into my browser, the client wouldn't connect. I just had to navigate to my https url and accept the risk then the client worked perfectly.

    so....Thank you!!!!!!!

    ReplyDelete

About ICE negotiation

Disclaimer: I wrote this article on March 2022 while working with Subspace, and the original link is here:  https://subspace.com/resources/i...