WebSocket: How does the client get the server guid?

Question

At RFC6455 page 7 and 8 you can see how the server processes the clients Sec-WebSocket-Key value (concatenating a personal GUID, using SHA1 and returning base64 coded string).

I guess this is used for security reasons. If the client would know the servers GUID it could do the same calculation and compare the answer with its personal result for identifieing the server.

But how would the client know the servers GUID? or is there a whole different reason for this algorithm?

Answer 1

To prove that the handshake was received, the server has to take two pieces of information and combine them to form a response. The first piece of information comes from the |Sec-WebSocket-Key| header field in the client handshake:

    Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==

Concretely, if as in the example above, the |Sec-WebSocket-Key|
header field had the value "dGhlIHNhbXBsZSBub25jZQ==", the server
would concatenate the string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
to form the string "dGhlIHNhbXBsZSBub25jZQ==258EAFA5-E914-47DA-95CA-
C5AB0DC85B11". The server would then take the SHA-1 hash of this,
giving the value 0xb3 0x7a 0x4f 0x2c 0xc0 0x62 0x4f 0x16 0x90 0xf6
0x46 0x06 0xcf 0x38 0x59 0x45 0xb2 0xbe 0xc4 0xea. This value is
then base64-encoded (see Section 4 of [RFC4648]), to give the value
"s3pPLMBiTxaQ9kYGzzhZRbK+xOo=". This value would then be echoed in
the |Sec-WebSocket-Accept| header field.

The client does not need to know the GUID. This is a mechanism to prevent proxies from reusing websocket respones.

https://en.wikipedia.org/wiki/WebSocket#Protocol_handshake