Allow CLI to connect to custom "insecure" wss endpoints

[abex-py]

When testing using the CLI tool, doing things quick'n'dirty for testing purpose is, imho, acceptable, as long as it's explicitly stated in the CLI args, for example something like this?

python -m websockets --insecure wss://localhost:8085

Imagine the following auto certif:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/CN=localhost"

for this server:

#!/usr/bin/env python

import asyncio
import ssl

from websockets.asyncio.server import serve


async def handler(websocket):
    while True:
        message = await websocket.recv()
        print(message)


async def main():
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    ssl_context.load_cert_chain(certfile="cert.pem", keyfile="key.pem")

    async with serve(handler, "localhost", 8085, ssl=ssl_context) as server:
        await asyncio.Future()  # run forever

if __name__ == "__main__":
    asyncio.run(main())

[aaugustin]

I can see where you're coming from, even if I'm not a fan of such a flags (mostly because, once it exists, every StackOverflow answer starts recommending it as a blanket solution to everything and it becomes the de facto default, rather than configuring TLS correctly).

An alternative would be a to provide a way to configure TLS verification, but that's likely to get complicated quickly. A WEBSOCKETS_CA_BUNDLE env var with the same semantics as REQUESTS_CA_BUNDLE could be a solution.

It's a valid topic but I'm not sure how I want to address it.