Hi Ken,
thanks for your response.
On 10/17/05, Ken McLeod <email@hidden> wrote:
>
> On Oct 16, 2005, at 7:57 PM, Martin Redington wrote:
>
> > I have managed to get my app to generate self-signed certs (via
> > certtool and expect), and tcpdump reveals that my traffic is indeed
> > encrypted.
> >
> > I am configuring SSL via CFReadStreamSetProperty and
> > CFWriteStreamSetProperty, with the
> > kCFStreamPropertySocketSecurityLevel and kCFStreamPropertySSLSettings
> > set to appropriate values.
> >
> > I would like the client to use a cert for authentication, and then to
> > retrieve this via kCFStreamPropertySSLPeerCertificates, so that I can
> > check that the cert hasn't changed.
> >
> > I am passing the client cert in as a kCFStreamSSLCertificates entry in
> > the client kCFStreamPropertySSLSettings.
>
> How exactly are you setting this property?
I was passing both the SecIdentityRef, and the corresponding
SecCertificateRef in a CFArray (I didn't realise that the former
encapsulated the latter).
I got the IdentityRef and the CertRef via the appropriate search functions.
I've just changed my code to pass only the SecIdentityRef in the
CFArray, but I get the same result - the traffic seems to be
encrypted, but no peer certs show up on the server.
>
> The kCFStreamSSLCertificates property is a CFArray whose first entry
> (0th element) is a SecIdentityRef object instance ...
>
> A SecIdentityRef is an object which encapsulates both a certificate
> and its associated private key. Currently, the only way to get a
> SecIdentityRef is by performing a search for an existing identity
> (see the functions in <Security/SecIdentitySearch.h> and <Security/
> SecIdentity.h>.) The currently public SecIdentity APIs are a bit
> limited, but you should be able to iterate through the available
> identities and identify the certificate you want to use.
Interestingly, I couldn't work out how to inspect any properties of
the SecIdentityRef (any pointers would be great), but as I only have
one, this isn't critical right now (although might be later).
> Another likely problem is that your self-signed root cert may not be
> trusted on the client side (i.e. if it is not installed in the
> X509Anchors keychain), so is considered invalid for client-side
> authentication purposes. If that's the case, you'll need to either
> copy the cert into the X509Anchors keychain (from a process running
> as root), or else set the kCFStreamSSLAllowsAnyRoot property for this
> stream.
I have kCFStreamSSLAllowsAnyRoot set to kCFBooleanTrue. My ssl
properties are defined as follows:
CFArrayRef ca = CFArrayCreate(NULL, (const void **)&identity, 1, NULL);
CFBooleanRef isServerRef = isServer ? kCFBooleanTrue : kCFBooleanFalse;
NSDictionary *sslProperties =
[NSDictionary dictionaryWithObjectsAndKeys: (NSString *)
kCFStreamSocketSecurityLevelNegotiatedSSL, kCFStreamSSLLevel,
kCFBooleanTrue, kCFStreamSSLAllowsAnyRoot,
kCFBooleanTrue, kCFStreamSSLValidatesCertificateChain,
kCFNull, kCFStreamSSLPeerName,
ca, kCFStreamSSLCertificates,
isServerRef, kCFStreamSSLIsServer,
nil];
>
> I'm pretty sure that just setting the kCFStreamSSLCertificates
> property implies that client side authentication should be attempted.
>
Hmmm. I seem to be doing everything properly, but I still get no peer certs :-(
>
> On the server side, you should be able to get the peer certs via
> CFXXXXXStreamCopyProperty(stream,
> kCFStreamPropertySSLPeerCertificates), then perform whatever
> evaluation you want on them. If that isn't working, then the client
> cert probably wasn't sent (due to one of the problems above), and
> your negotiated connection is SSLv3 instead of TLSv1.
I am currently passing kCFStreamSocketSecurityLevelNegotiatedSSL as
the value of kCFStreamSSLLevel and
kCFStreamPropertySocketSecurityLevel.
If I instead pass kCFStreamSocketSecurityLevelTLSv1, will this cause
an error if the peer certs aren't obtained? That would let me confirm
that the peer certs aren't being used.
Alternatively, is there some way to determine what level of security
was negiotiated?
cheers,
m.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
