circ icon indicating copy to clipboard operation
circ copied to clipboard

Published 20 hours ago verified publisher icon flackr

Use native chrome ssl sockets

Open alexgartrell opened this issue 6 years ago • 1 comments
trafficstars

This looks pretty similar to a change by @flackr, but submitting anyway in case there's something I'm missing.

Previously, we relied on a pure javscript ssl implementation called forge for secure sockets. This had a couple of significant downsides:

  1. Certificate Authentication via your trusted CA (or any CA) didn't work
  2. Name verification wasn't enabled

As a result, secure sockets were not secure.

This solves the problem by using the (present since Chrome 38) secure socket support. This gives you all of the TLS certificate authentication goodness of chrome for free. As a plus, it's also a relatively simple change, so I was able to delete most of the logic for ssl and just add a separate callback for pre secure connect.

alexgartrell avatar Aug 05 '19 22:08 alexgartrell

As you pointed out I have a similar change https://github.com/flackr/circ/tree/chrome-sockets-tcp-secure. The issue I found when trying this is that chrome.socket requires additional attestation which fails on many SSL irc servers. For example, when connecting to freenode:

/server chat.freenode.net +6697
Socket Error: failed to secure socket: net::ERR_SSL_CLIENT_AUTH_CERT_NEEDED (error 110)

flackr avatar Aug 06 '19 11:08 flackr