Currently, ElectrumX will only ask for a single SSL certificate and KeyFile and use it on both the WSS (secure websocket port) and TLS port.
This is problematic because, majority of the certificates used on the TLS ports are self-signed and if you use such a certificate on the WSS port that is used in a browser like Firefox for example, it will complain about it and prefer one signed by a commercial CA or Let's Encrypt.
Switching to just a single CA signed certificate on both WSS and TLS ports will prevent older clients from connecting if they previously connected using the self-signed cert, because they have saved it on disk.
For this reason, we need additional config params:
SSL_CERTFILE = # certificate for TLS port
SSL_KEYFILE = # key file for TLS port
+
WSS_CERTFILE = # certificate for WSS port
WSS_KETFILE = # key file for WSS port
Allowing a CA bundle with intermediate root certificates might also be useful for some use cases.
Same certificate and keyfile can be used on both WSS and TLS ports just as now, and if the WSS* params are not configured the SSL* params shall be used for the WSS port as well.
Currently, ElectrumX will only ask for a single SSL certificate and KeyFile and use it on both the WSS (secure websocket port) and TLS port.
This is problematic because, majority of the certificates used on the TLS ports are self-signed and if you use such a certificate on the WSS port that is used in a browser like Firefox for example, it will complain about it and prefer one signed by a commercial CA or Let's Encrypt.
Switching to just a single CA signed certificate on both WSS and TLS ports will prevent older clients from connecting if they previously connected using the self-signed cert, because they have saved it on disk.
For this reason, we need additional config params: SSL_CERTFILE = # certificate for TLS port SSL_KEYFILE = # key file for TLS port
+ WSS_CERTFILE = # certificate for WSS port WSS_KETFILE = # key file for WSS port
Allowing a CA bundle with intermediate root certificates might also be useful for some use cases.
Same certificate and keyfile can be used on both WSS and TLS ports just as now, and if the WSS* params are not configured the SSL* params shall be used for the WSS port as well.