diff --git a/client/snapclient.cpp b/client/snapclient.cpp index 0d5657c6..3297dfe3 100644 --- a/client/snapclient.cpp +++ b/client/snapclient.cpp @@ -153,12 +153,12 @@ int main(int argc, char** argv) auto port_opt = op.add>("p", "port", "(deprecated, use [url]) Server port", 1704, &settings.server.port); op.add>("i", "instance", "Instance id when running multiple instances on the same host", 1, &settings.instance); op.add>("", "hostID", "Unique host id, default is MAC address", "", &settings.host_id); - auto server_cert_opt = - op.add>("", "server-cert", "Verify server with certificate (PEM format)", "default certificates"); op.add>("", "cert", "Client certificate file (PEM format)", settings.server.certificate, &settings.server.certificate); op.add>("", "cert-key", "Client private key file (PEM format)", settings.server.certificate_key, &settings.server.certificate_key); op.add>("", "key-password", "Key password (for encrypted private key)", settings.server.key_password, &settings.server.key_password); + auto server_cert_opt = + op.add>("", "server-cert", "Verify server with CA certificate (PEM format)", "default certificates"); // PCM device specific #if defined(HAS_ALSA) || defined(HAS_PULSE) || defined(HAS_WASAPI) diff --git a/doc/configuration.md b/doc/configuration.md index 510f65e5..1e7a464a 100644 --- a/doc/configuration.md +++ b/doc/configuration.md @@ -329,8 +329,12 @@ Snapserver supports RPC via HTTP(S) and WS(S) as well as audio streaming over WS ### HTTPS +#### Server + For HTTPS/WSS, the paramter `ssl_enabled` must be set to `true` (default: `false`) and the `certificate` and `certificate_key` paramters in the `[ssl]` section must point to a certificate file and key file in PEM format. +If you want only trusted clients being able to connect, the parameter `verify_clients` must be set to `true` and the client CA certificates must be configures as list of `client_cert =` entries. + Some hints on how to create a certificate and a private key are given for instance here: - [Create Root CA (Done once)](https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309) @@ -382,3 +386,11 @@ certificate_key = snapserver.key ``` Install the CA certificate `snapcastCA.crt` on you client's OS or browser. + +#### Client + +To use an SSL connection to the server, the client must use the secure websockets URI: `snapclient [options...] wss://[:port]`. + +To enable server authentication, the server CA certificate can be configured with `--server-cert=`. + +If the server is confgured to authenticate the clients (`verify_clients = true` in `snapserver.conf`), you must configure the client certificate and private key with `--cert=` and `--cert-key=`.