Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl auto upgrade #3313

Closed
totaam opened this issue Oct 18, 2021 · 5 comments
Closed

ssl auto upgrade #3313

totaam opened this issue Oct 18, 2021 · 5 comments
Labels
enhancement New feature or request network

Comments

@totaam
Copy link
Collaborator

totaam commented Oct 18, 2021
edited
Loading

Expanding the scope of #3299, the server can tell the client that it supports ssl and then the client may decide to upgrade the tcp or ws socket to ssl / wss.

See also #3305
@totaam totaam added enhancement New feature or request network labels Oct 18, 2021
totaam added a commit that referenced this issue Jul 12, 2023
@totaam
#3313 auto-upgrade tcp sockets to ssl
c3b450b
@totaam
Copy link
Collaborator Author

totaam commented Jul 12, 2023
edited
Loading

Done in the commit above.
Caveats:

  • upgrading ws websockets to wss does not work (not sure why) so it is not enabled
  • still some occasional timeouts stealing the connection - replacing the timer with a thread join would be more reliable and often faster
  • we could save the certificate that the server gives us and then enable ssl verification - meh

Example output:

$ xpra start :100 --bind-tcp=:10000 --ssl-cert=./cert.pem --ssl-key=./key.pem 

$ xpra id tcp://localhost:10000/ 
upgrading tcp socket: 127.0.0.1:56714 <- 127.0.0.1:10000 to ssl
SSL handshake complete, TLSv1.2
 ECDHE-RSA-AES256-GCM-SHA384, 256 bits
display=:100
machine-id=a9980b37933d4f86817014d8c2439a5a
pid=415233
platform=linux
session-name=xterm
session-type=seamless
uuid=fdc66c6ffa1c4706b35ee9ef5df0d4ce

@totaam totaam closed this as completed Jul 12, 2023
totaam added a commit that referenced this issue Jul 12, 2023
@totaam
#3313 enable auto-upgrades by default
c2ac508
@totaam totaam mentioned this issue Jul 22, 2023
Closed
totaam added a commit that referenced this issue Nov 17, 2023
@totaam
#3313 self-signed certificates fail
c819f21
@totaam
Copy link
Collaborator Author

totaam commented Nov 17, 2023

No longer enabled by default because this causes TCP connections to servers with self-signed certificates to upgrade to SSL, then fail because the certificate is not "valid".
We could send the signature as part of the upgrade, I guess.

@totaam totaam mentioned this issue Mar 14, 2024
Closed
totaam added a commit that referenced this issue Mar 14, 2024
@totaam
#3313 self-signed certificates fail
32f62dc
@totaam
Copy link
Collaborator Author

totaam commented Mar 14, 2024

We could detect self-signed certs and refuse to auto-upgrade in that case: SO: Determine if SSL certificate is self signed using Python

@themoonisacheese
Copy link

We could detect self-signed certs and refuse to auto-upgrade in that case: SO: Determine if SSL certificate is self signed using Python

why not instead do it the ssh way and keep a list of known-good servers that may authenticate themselves using a ssc?

in SSH, connecting to a previously-unknown server displays its hostname, its host key fingerprint and if approved, adds it to .ssh/known-hosts. if the host key ever changes, ssh will throw big red warnings at the user.

i propose doing the same for ssl certs, let the user accept that this is lower security than a CA-signed cert, but still have their back wrt to changing certs. Overall, blindly trusting a self-signed cert is better for security than simply not upgrading, because having a self-signed cert still means the traffic is encrypted in-flight.

@totaam
Copy link
Collaborator Author

totaam commented Mar 15, 2024

why not instead do it the ssh way and keep a list of known-good servers that may authenticate themselves using a ssc?
(..)

We already do that for SSL connections, it just isn't wired up for upgraded connections.
Details can be found in #3305

@totaam totaam mentioned this issue Jul 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request network
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@totaam @themoonisacheese