I need to disable certificate validation for a WebSocket because I'm using a self-signed certificate.

I found in this question Websocket SSL connection the rejectUnauthorized parameter, but that no longer work. In fact, if you go to Mozilla's documentation, there are only two parameters: URL and protocol version.

In another question or site (don't remember exactly), I found that if I go first to https://server_ip, I would get the prompt about invalid certificate requesting whether I want to proceed or not. Then I could connect using wss://server_ip and it would work, and it does, but that's not usable for my case.

So, I need to disable the certificate validation during the creation of the WebSocket. How can I do that?

The code I'm using for testing is the one at .html. I replaced the websocket = new WebSocket(wsUri); with websocket = new WebSocket(wsUri, {rejectUnauthorized: false}); (during testing, also added the protocolVersion: 8 parameter as in the linked question)

Edit: I need to use self-signed certificates. Let's Encrypt is out of question because it requires a subdomain, and I'd need to manage hundreds to thousands of them then. The application is divided in three parts, that will be deployed to each customer (hundreds of them):

• Management console: using subdomain and a LE certs.
• WebSocket Server 1: need encrypted connection using just the IP
• WebSocket Server 2: need encrypted connection using just the IP

I need to disable certificate validation for a WebSocket because I'm using a self-signed certificate.

I found in this question Websocket SSL connection the rejectUnauthorized parameter, but that no longer work. In fact, if you go to Mozilla's documentation, there are only two parameters: URL and protocol version.

In another question or site (don't remember exactly), I found that if I go first to https://server_ip, I would get the prompt about invalid certificate requesting whether I want to proceed or not. Then I could connect using wss://server_ip and it would work, and it does, but that's not usable for my case.

So, I need to disable the certificate validation during the creation of the WebSocket. How can I do that?

The code I'm using for testing is the one at https://www.websocket/echo.html. I replaced the websocket = new WebSocket(wsUri); with websocket = new WebSocket(wsUri, {rejectUnauthorized: false}); (during testing, also added the protocolVersion: 8 parameter as in the linked question)

Edit: I need to use self-signed certificates. Let's Encrypt is out of question because it requires a subdomain, and I'd need to manage hundreds to thousands of them then. The application is divided in three parts, that will be deployed to each customer (hundreds of them):

• Management console: using subdomain and a LE certs.
• WebSocket Server 1: need encrypted connection using just the IP
• WebSocket Server 2: need encrypted connection using just the IP

• javascript
• websocket

• Are you talking about a one-off on your machine to carry on with your work, or a general way for any visitor to the site? – James Thorpe Commented Jul 7, 2016 at 9:48
• @JamesThorpe general way. The client will download a js that will in the background connect to some Python WebSocket servers – user4093955 Commented Jul 7, 2016 at 9:49
• @TheIllusiveMan I know is has been a while, but have you solved it? – rightaway717 Commented Aug 22, 2022 at 6:57

1 Answer 1

I might arrive late here, but as I was having the same issue and no real answer out there, I turned to read the implementation documentation

Methods

connect(requestUrl, requestedProtocols, [[[origin], headers], requestOptions])

Will establish a connection to the given requestUrl. requestedProtocols indicates a list of multiple subprotocols supported by the client. The remote server will select the best subprotocol that it supports and send that back when establishing the connection. origin is an optional field that can be used in user-agent scenarios to identify the page containing any scripting content that caused the connection to be requested. requestUrl should be a standard websocket url.

headers should be either null or an object specifying additional arbitrary HTTP request headers to send along with the request. This may be used to pass things like access tokens, etc. so that the server can verify authentication/authorization before deciding to accept and open the full WebSocket connection.

requestOptions should be either null or an object specifying additional configuration options to be passed to http.request or https.request. This can be used to pass a custom agent to enable WebSocketClient usage from behind an HTTP or HTTPS proxy server.

origin must be specified if you want to pass headers, and both origin and headers must be specified if you want to pass requestOptions. The origin and headers parameters may be passed as null.

Hence, as the documentation stated, unless you have specific configuration for any of these parameters you should pass null. That solved the maze. It came to be:

var client = new WebSocket();
client.connect(WSSrvUrl, null, null, null, {rejectUnauthorized: false});
//or depending on the implementation you're using (this applies to Nodejs and web browser implementation:
var client = new WebSocket(WSSrvUrl, null, null, null, {rejectUnauthorized: false});

And that's it.

SDG