pump-server rejects browser

[TermeHansen]

pump-server rejects any connection from a browser with:

Rejecting (non-TLS?) connection for ('10.1.64.141', 56334): [Errno 1] _ssl.c:504: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

[wijnen]

Thanks for the feedback. What is the address you are connecting to? You need to use https, not http. If you are using that, can you please copy all output of the server from the moment it starts? Did it create keys in ~/.local/share/network/certs/ and .../private/ ?

It is normal that you get a message complaining that the key is not trusted (unless you got it signed by a CA).

[TermeHansen]

Hi Bas

yes, indeed it worked (after excepting the exception) with https. I understand that it's a good idea in general, especially if contacting the server over the internet, but this small program will be when you stand next to the server and operate the pump. So can we make it available also without ssl or tsl (this is the part I don't understand fully ;) ).

Regards Rasmus

On 11/13/2014 08:05 PM, Bas Wijnen wrote:

Thanks for the feedback. What is the address you are connecting to? You need to use https, not http. If you are using that, can you please copy all output of the server from the moment it starts? Did it create keys in ~/.local/share/network/certs/ and .../private/ ?

It is normal that you get a message complaining that the key is not trusted (unless you got it signed by a CA).

— Reply to this email directly or view it on GitHub https://github.com/mtu-most/linear-actuator/issues/5#issuecomment-62947319.

[wijnen]

I think connections should be secure by default. There is no benefit to using an unencrypted connection; the lower cpu load is insignificant. I see two ways to use unencrypted connections from localhost, both of which have downsides:

• autodetecting local connection and not encrypting them is confusing, because then one machine needs http, while all others need https.
• setting a configuration value to disable encryption means that when the setup is changed slightly and (real) network connections are accepted, the setup is insecure.

The only problem with the encryption is that you either get a warning that the connection is insecure, which is a bug in the browsers IMO (I mean, how is an untrusted key less secure than no key at all?!) Also, you get the warning only once, so it's not really a problem.

The network module allows the code using it to specify that encryption should not be used (and the websockets module allows passing that argument through). So if you really want to, you can add "tls = False" to the websockets.RPCHttpd call at the end of pump-server. Because of the reasons listed above, I recommend against it, but it can be done. Also, I didn't actually test it, but I think it should work.