Chrome 58, web extension cannot open secure websocket (wss) to localhost

0
votes

Recently I update Chrome to 58 and my extension cannot open secure web socket to localhost (wss://localhost)

My web socket server uses self sign certificate (created by openssl) and install root CA to "Trusted Root Certification Authorities" to Chrome browser, it works fine for Chrome 56 or below, but now it don't

I find a page that mentions Chrome will block resource load from localhost https://bugs.chromium.org/p/chromium/issues/detail?id=378566

The question is: How I make my extension work again? In case I cannot go with localhost web socket, what is alternative solution?

Update:

Here is my URL to create WebSocket to localhost server: wss://localhost:30714/resourcePath

I post command lines to create self signed:

  1. openssl.exe dhparam -check -text -5 1024 -out "myHome DH.pem"

  2. openssl genrsa -des3 -out "CA.key" 1024

  3. openssl req -new -x509 -days 7320 -sha512 -key "CA.key" -out "myHome CA.crt"

  4. openssl req -newkey rsa:1024 -keyout "myHome.key" -nodes -sha512 -out "myHome.req"

  5. openssl ca -out "myHome.crt" -days 7320 -infiles "myHome.req"

Result of these commands above including openssl.conf file please found here Thanks.

I installed myHome CA.crt file to local machine "Trusted Root Certification Authorities". I worked on Chrome 56 or sooner, but now with Chrome 58 it did not.

2
google-chromesslhttpswebsocket
Chrome 58 Deprecates Subject CN Matching. Please post the URL you are using to connect to the server, and post the output of openssl s_client -connect <hostname>:<port> -tls1 -servername <hostname> | openssl x509 -text -noout. Do so by adding it to your question by clicking Edit (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it.jww
CN=www.example.com is now officially wrong in Chrome (the standards deprecated it years ago). Hostnames always go in the SAN. If its present in the CN, then it must be present in the SAN too (you have to list it twice in this case). For more rules and reasons, see How do you sign Certificate Signing Request with your Certification Authority and How to create a self-signed certificate with openssl? You will also need to place the self-signed certificate in the appropriate trust store.jww
I updated my question, BTW SAN is stand for Subject Alternative Name? I can not find that filed in my certs, so do I make something wrong? Please helpPhuTa

2 Answers

1
votes

I found a link here, it mentioned Chrome blocked access from web to localhost, is it root cause?

0
votes

Windows users, this script will create the certificate with required SAN: openssl script for Windows at GitHub