0

Recently I update Chrome to 58 and my extension cannot open secure web socket to localhost (wss://localhost)

My web socket server uses self sign certificate (created by openssl) and install root CA to "Trusted Root Certification Authorities" to Chrome browser, it works fine for Chrome 56 or below, but now it don't

I find a page that mentions Chrome will block resource load from localhost https://bugs.chromium.org/p/chromium/issues/detail?id=378566

The question is: How I make my extension work again? In case I cannot go with localhost web socket, what is alternative solution?

Update:

Here is my URL to create WebSocket to localhost server: wss://localhost:30714/resourcePath

I post command lines to create self signed:

  1. openssl.exe dhparam -check -text -5 1024 -out "myHome DH.pem"

  2. openssl genrsa -des3 -out "CA.key" 1024

  3. openssl req -new -x509 -days 7320 -sha512 -key "CA.key" -out "myHome CA.crt"

  4. openssl req -newkey rsa:1024 -keyout "myHome.key" -nodes -sha512 -out "myHome.req"

  5. openssl ca -out "myHome.crt" -days 7320 -infiles "myHome.req"

Result of these commands above including openssl.conf file please found here Thanks.

I installed myHome CA.crt file to local machine "Trusted Root Certification Authorities". I worked on Chrome 56 or sooner, but now with Chrome 58 it did not.

PhuTa
  • 59
  • 6
  • [Chrome 58 Deprecates Subject CN Matching](https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/). Please post the URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww May 11 '17 at 14:21
  • ***`CN=www.example.com`*** is now officially wrong in Chrome (the standards deprecated it years ago). Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww May 11 '17 at 14:22
  • I updated my question, BTW SAN is stand for Subject Alternative Name? I can not find that filed in my certs, so do I make something wrong? Please help – PhuTa May 12 '17 at 04:13

2 Answers2

1

I found a link here, it mentioned Chrome blocked access from web to localhost, is it root cause?

PhuTa
  • 59
  • 6
0

Windows users, this script will create the certificate with required SAN: openssl script for Windows at GitHub

STWilson
  • 1,538
  • 2
  • 16
  • 26
  • I recreated my certs for localhost with SAN: localhost and 127.0.0.1, but it still did not work – PhuTa May 22 '17 at 02:08
  • In my case on Windows, I am not using localhost. I create development domain names and map them to 127.0.0.1 in `C:\Windows\System32\drivers\etc\hosts` accordingly. – STWilson May 22 '17 at 12:15