[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL certs and authentication ... again

Subject: SSL certs and authentication ... again
From: Martin Redington <email@hidden>
Date: Thu, 12 Jan 2006 05:13:35 +0000
Delivered-to: email@hidden
Delivered-to: email@hidden
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=SCb9ayMTZfrHxtIhjDHYza8TivwlE7sHfTaeJ2As06QH6G3R4rE7bqD78T0MTfY0j/2yytYpbc53r6CKs9dtMlEL1+4/8D1ZaRmIZ9G01a6tU9F8PRrZI6OWoQc7Jd5zCbMOI4E//7Zq4eo0GyHMzMDOvR4EoLOdC/SXZfRgBFc=

I am using AsyncSocket (which is built on top of CFSocket) in my app.

AsyncSocket provides a mechanism for enabling SSL by passing in
appropriate properties (e.g., kCFStreamPropertySocketSecurityLevel and
kCFStreamPropertySSLSettings) to CFReadStreamSetProperty and
CFWriteStreamSetProperty.

This seems to be working - I can see that the stream is encrypted, and
the various SSL cert verification flags mostly seem to work, although
disabling "Allow Expired Certificates" and "Allow Expired Root certs"
doesn't seem to have any effects when my certs are expired.

I have also set it up so that the user can either use a certificate
that I am generating with certtool (and expect - I tried to code up
cert generation, but it was a real struggle) or pick a certificate of
their own from the default keychain.

So far, so good.

I do have one remaining problem - authentication.

I posted on this topic before, and got some useful answers. One
suggestion was to let the user (or app) distribute certs with a chain
of trust, and let these handle authentication. Although users could do
this, it probably too much to ask of my average end user.

Another suggestion was to use digest auth.

I am in the lucky position of also having a shared secret (a password).

My question is this:

How can I enable digest auth for my connections? I can see lots of
useful looking methods in Open Transport, and somewhere in the docs it
seemed to say that CFSocket and friends were built on top of OT, so
you could drop down into that for lower level control.

I'm guessing that what I need to get is a way to get hold of, or
influence, the underlying SSLContext, but all I can see in CFNetwork
is the CFReadStreamSetProperty stuff.

If I am stuck with the CFNetwork level stuff, is there any good way
for me to handle the auth? In a pinch, I could implement some kind of
challenge response based on the shared secret, but this seems kind of
crazy and error-prone.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: SSL certs and authentication ... again
  - From: Ken McLeod <email@hidden>

Prev by Date: Re: Keychain and Smart card
Next by Date: RE: Keychain and Smart card
Previous by thread: Re: Creation and deletion of a keychain
Next by thread: Re: SSL certs and authentication ... again
Index(es):
- Date
- Thread

Home