How to get credentials outside of a demo example

[cBournhonesque]

Hi,

I got a test working where I'm generating self-signed certificates; which I need to include in the client with the server_certificate_hashes option.

But in a real use-case where I deploy my server, how would clients get correct credentials?

[BiagioFesta]

Generally, for PROD environments the server should present a valid (trusted by known CA) certificate and serverCertificateHashes is not required (as client can validate the proper certificate). So PROD environment should rely on PKI mechanisms.

I intend serverCertificateHashes more for Development/Testing environment, also because there are a few constraints on its usage: see requirements here. For instance, the certificate validity period cannot be more than 2 weeks.

---

Having said that, I don't know if you already had a look at wtransport/examples/full.rs.

In that example, the server is also serving the web resources (the client web application), and when the server starts the certificates is injected in the javascript.

• Here the template javascript

• Here where the template is replaced with the hash

With this approach, the web client is "dynamic" and can always be potentially updated by the server itself with its hash.

[cBournhonesque]

Thanks!

• I will check out PKI mechanisms. ("PKI webtransport" doesn't give much info on google unfortunately)
• the example is pretty cool! In my case I'm not sure if the server can also serve the web client, but I like the idea :)

[BiagioFesta]

Sorry, PKI stands for Public Key Infrastructure, it is how generally certificate infrastructure works.

What I meant is: if you have a PROD environment you should rely on good practices like serving a certificate that clients can check against a well-known trusted authority (CA).

There are free solution to sign a certificate, for example: https://letsencrypt.org/

[MOZGIII]

@cBournhonesque consider using xwt-cert-utils if you need this in wasm. wtransport doesn't build in wasm.

@BiagioFesta serverCertificateHashes is absolutely intended for production environments, as they can provide even better transport security by requiring that the server an exact certificate that matches the requested hash. This gives the application a chance to defend against MITM attacks that compromise the Web PKI root certs storage of the client. Those have been quite prominent in the wild lately, and before the serverCertificateHashes capabilities you'd need a native app to defend against those. So, the serverCertificateHashes is very useful as an intended way of running production.