Websockets and the PrivX Carrier browser

PrivX web containers are used for accessing HTTP or HTTPS sites via PrivX role-based access control.
PrivX can be used to automatically provide authentication for the sites and/or to record the web sessions.

If your site uses official CA signed certificate, secure web sockets are automatically supported. If you're using self-signed or company CA signed certificates or old ciphers, please continue reading.

📘

Note

These instructions apply to PrivX 13 onwards. PrivX 11 and 12 have limited web socket support, please upgrade to the latest version to use this feature properly.

PrivX web containers use Squid for proxying HTTPS traffic. Squid does not natively support web sockets, but the version installed on PrivX Web Proxy host has been configured to tunnel CONNECT requests for secure web sockets automatically.

PrivX Carrier uses ports 18080 and 18443 to proxy HTTP and HTTPS traffic via PrivX Web Proxy Host.
Port 18444 is used for tunneling web socket traffic.

Trusting self-signed certificates

By default, PrivX Web Container trusts only official CA signed certificates. For company-signed or self-signed certificates, a SEC_ERROR_UNTRUSTED_ISSUER warning is shown for the user. By default, this warning can be bypassed by the user.
For web sites using official certificates (trusted by both PrivX Web Proxy host and Firefox browser), no certificate config is necessary.

Connecting to self-signed or company CA signed website with HTTPS

To avoid security warnings for regular HTTPS traffic, please copy your CA bundle for the trusted certificates to /etc/pki/ca-trust/source/anchors/ directory on PrivX Web Proxy host and run "update-ca-trust extract". After this, run "service squid restart".

This also works for intermediate certificates, but alternatively, required intermediate cert chains can be put to a separate file and the following line can be added to the Squid config:

sslproxy_foreign_intermediate_certs /etc/squid/extra-intermediate-CA.pem

Note that these certificates are not treated as trusted root certificates, and any self-signed certificate in this file will be ignored.

Alternatively you can add the trusted CA cert to Squid using cafile=/etc/squid/cafile.pem attribute for tls_outgoing_options in squid.conf.

The above config works for HTTPS traffic, but for wss:// -web socket traffic, it has no effect. Firefox displays no warnings or error dialogs for self-signed certificates, the web socket requests just fail with SEC_ERROR_UNTRUSTED_ISSUER on the dev tools networking tab.
If your web site uses secure web socket traffic, please read the next section.

Configuring web socket certificates with Carrier config

As secure web sockets are tunneled through Squid, the web socket site certificates are never visible to Web Proxy host, so having the CA cert in system trust anchors is not sufficient. Instead, the Firefox browser must be made aware of the trust chain.
For getting WSS requests to work with non-trusted certificates, the signing CA certificate chain must be added to Carrier configuration file.

To make PrivX web container work, set your trusted CA and intermediate certificates in TRUSTED_CA_CRT -variable in PrivX Carrier configuration file on /opt/privx/etc/carrier-config.toml on Carrier host, section [web_container].
After changing the certificates in Carrier config, restart the Carrier service.

If using self-signed certificates, the certificate must fulfill the following requirements:

  • Web site certificate cannot be a CA certificate, but it must be signed by one.
  • CA certificate must be trusted by web proxy host OS (for HTTPS) and Carrier (for WSS).
  • Certificate validity must be less than 398 days (https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/)
  • The web site hostname must match the site certificate Subject Alternative Name field contents.
  • The connection must use valid cipher suites and TLS protocols. For example, SSLv3, TLS 1.0 and TLS 1.1 have been disabled by default in Squid config. Enabling them is NOT recommended, but might be necessary for some older routers.

Did this page help you?