Adding native wss (SSL) support [feature]

[gregoiregentil]

Hello,

wsServer is very useful because it's very tiny and readable... On the opposite, libwebsockets (which is an amazing project) has 100k+ lines of code and patches so it has become unmanageable.

I need to get wss support (SSL).

1. For information, I'm running wsServer first on a standard Linux server with Apache2. To support wss, you can just add those lines to the Apache2 configuration (and you could avoid stunnel):

<IfModule mod_ssl.c>
<VirtualHost _IP_:443>
        RewriteEngine on
        ProxyRequests Off
        ProxyPreserveHost on
        ProxyPass /ws ws://_SERVER_:8081
        ProxyPassReverse /ws ws://_SERVER_:8081
</VirtualHost>
</IfModule>

2. I'm aware of stunnel.

3. I need to get wss support in a second scenario which is extremely constrained and where getting stunnel is complicated. Would you consider adding SSL native support? Or could you point where the frames need to be encrypted / decrypted using openssl with a local certificate?

[Theldus]

Hello @gregoiregentil,

Thank you for giving wsServer a chance, and also for the well-informed issue. I often receive issues from people who don't even read the project's README.

Regarding SSL/TLS, my focus has always been on implementing the protocol (websocket), so I've always postponed SSL support, especially with the existence of proxies, as you mentioned. I'm not well-versed in cryptography and such, so I would like to avoid adding an extra layer of complexity to the project and potentially doing it wrong. That said, OpenSSL would be the last library I would use for this.

OpenSSL is huge and unnecessarily complex; there are much better and simpler alternatives available nowadays, such as Amazon's s2n-tls, which seems to be very user-friendly.

However, I would like to better understand your environment, where running wsServer is not an issue, but running a proxy together might be...

[gregoiregentil]

Thank you. I managed to run stunnel on my constrained system and it seems working. I wanted to avoid another block in my system because of space and resource constraint.

You're right about openSSL. Thank you for the suggestion s2n-tls. That project is also huge... On another project of mine with some similar constraints, I started from https://axtls.sourceforge.net which is smaller and I extracted the few c files that deal with certificates.

This is the same problem over and over: when you want to do something relatively simple (like wsS), you pull the projects and you end up with multiple huge stacks.

For the short term, I will try to keep stunnel. Still, it would be a very instructive "exercise" to pull the required code to deal with SSL certificates and incorporate into wsServer.

[Theldus]

Hi @gregoiregentil,
axTLS seems quite interesting, and really very small, impressive! It just bothers me a bit to not receive any updates since 2019!.

Perhaps I'll try to gradually add SSL/TLS support in my spare time, whether via axTLS, s2n-tls, or similar, preferably still maintained.

Furthermore, please keep this issue open, as this is indeed a feature I intend to implement... I just can't give you any deadlines.

[gregoiregentil]

Yes, axTLS has not been updated recently - I saw that too, not very good for security.

I read the code and managed to extract only the relevant part I needed for manipulating a certificate and encrypting/decrypting data. It was very efficient - just a few source files. But obviously, it's at your own risk.