[Libwebsockets] Same protocol served both with and without SSL

Andy Green andy at warmcat.com
Thu May 12 00:51:43 CEST 2016

On May 12, 2016 5:08:36 AM GMT+08:00, Thomas Spitz <thomas.spitz at hestia-france.com> wrote:
>Hello Andy,
>Is it possible to have a protocol (with a given name) served both with
>without SSL on the same port (egg: both on 443)?

It is, but it's wrecking any security benefit from ssl, since the client can just choose to not have ssl.  If he did that by accident, or he got man-in-the-middled which is possible then without needing a cert the client will accept, and falsely assumes his connection was secure, that could be nasty.

>According to what I read, it seems possible with vhost and lws 2.0 but
>2 different protocol names.

That's actually unrelated, the two cases vhosts can do are

1) also have a vhost on :80 who auto-redirects you to :443, optionally along with an STS header telling the client to always use SSL / :443 for that hostname in future, and

2) have multiple vhosts listen on the same port, if all are SSL then a TLS extension SNI is used to select the vhost from the hostname the client used before selecting the session SSL cert / keys (so the correct cert from the right vhost is used to negotiate the session crypto).  If none are SSL then the Host: header from the client selects the vhost.

Ie it doesn't support directly mixing ssl and non-ssl on the same port via vhosts.  Because it is very undesirable.

However a while back someone wanted this feature and contributed a patch for it.

To use it, or the flag LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT to info.options at context creation time.  But be aware this basically makes ssl pointless.


>Thanks a lot for your great support and lib!
>Best regards,
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org

More information about the Libwebsockets mailing list