How to establish secure connection from C++

Hi there,

We currently have a C++ project connected to a Crossbar.io server over RAW Socket. I think that back then, when we wrote this, it was only possible to use rawsocket from C++, not the websocket. We had the communication only in a Private Network area behind a firewall.

We now have to open the respective port to the outside, which means we have to make this secure.

What are our options? Is it possible to make a raw socket secure enough to pass enterprise level audits?

Or Is it possible by now to switch to wss in C++ ?

Best regards,

Dieter

Hi,

Hi there,

We currently have a C++ project connected to a Crossbar.io server over RAW

Cool! Would you mind telling us a little bit about the project?

Socket. I think that back then, when we wrote this, it was only possible to
use rawsocket from C++, not the websocket. We had the communication only in
a Private Network area behind a firewall.

We now have to open the respective port to the outside, which means we have
to make this secure.

What are our options? Is it possible to make a raw socket secure enough to

You can run RawSocket transports over TLS on port 443.

That is, you only need to allow outgoing TCP connections in your firewall.

From a security perspective, this is comparable to WebSocket. The security comes from TLS.

Whether that works in your corporate network depends ..

Eg some companies only allow outgoing HTTP over an enforced Web proxies that will unwrap HTTPS connections, it won't work with RawSocket. But such proxies are basically MITM attack boxes from my view (bad stuff).

pass enterprise level audits?
Or Is it possible by now to switch to wss in C++ ?

Yes, we have a WebSocket transport in AB C++ now too:

https://github.com/crossbario/autobahn-cpp/blob/master/examples/websocket_callee.cpp

This is using

https://github.com/zaphoyd/websocketpp

and that support secure WebSocket too.

Cheers,
/Tobias

The project is a POS system that is running a 3d game engine that communicates using wamp protocol.

You can run RawSocket transports over TLS on port 443.

That is, you only need to allow outgoing TCP connections in your firewall.

From a security perspective, this is comparable to WebSocket. The
security comes from TLS.

Whether that works in your corporate network depends …

Ok, Some other clients already use port 443 for wss connctions, so I think this option is not possible.

Yes, we have a WebSocket transport in AB C++ now too:

https://github.com/crossbario/autobahn-cpp/blob/master/examples/websocket_callee.cpp

This is using

https://github.com/zaphoyd/websocketpp

and that support secure WebSocket too.

ok, I will have a look and try if we can connect via wss. This is probably the cleanest way.

Thanks for the info.

Best regards,

Dieter

The project is a POS system that is running a 3d game engine that
communicates using wamp protocol.

Oh, interesting! So the POS system is kinda UI component in an overall system. Cool.

You can run RawSocket transports over TLS on port 443.

That is, you only need to allow outgoing TCP connections in your firewall.

  From a security perspective, this is comparable to WebSocket. The
security comes from TLS.

Whether that works in your corporate network depends ..

Ok, Some other clients already use port 443 for wss connctions, so I think

this option is not possible.

Not sure if I get that.

Say, within the corporate network, there are clients that connect from inside to somewhere outside over wss.

If so, and if you don't have a TLS unwrapping thing in between, which I doubt if these clients are anything but a browser, then you will also be able to connect to the outside over rss, and without disturbing the other wss (non-rss) clients.

Yes, we have a WebSocket transport in AB C++ now too:

https://github.com/crossbario/autobahn-cpp/blob/master/examples/websocket_callee.cpp

This is using

https://github.com/zaphoyd/websocketpp

and that support secure WebSocket too.

  ok, I will have a look and try if we can connect via wss. This is probably
the cleanest way.

Yeah, could be. Is definitely the most corporate network admin compatible;)