Re: NSStream SSL Help
Re: NSStream SSL Help
- Subject: Re: NSStream SSL Help
- From: Jens Alfke <email@hidden>
- Date: Wed, 5 Mar 2008 16:59:37 -0800
On 5 Mar '08, at 12:24 PM, Eric Scharff wrote:
This doesn't make sense because TLS shouldn't require host name
verification anyway, and I'm sure that the server's SSL certificate
is valid.
The cert does look valid, and matches the domain name, so that doesn't
seem to be the problem.
But host name verification is important — otherwise you don't know
you've connected to the right site. Instead of paypal.com, a poisoned
DNS server might have given you the IP address of shady-operator.com,
which has a valid cert and is running a phishing scam. Without host
verification there'd be no way for the user to tell they weren't at
the real site.
[fileInStream setProperty:
NSStreamSocketSecurityLevelTLSv1 forKey:
NSStreamSocketSecurityLevelKey];
// [fileInStream setProperty:
NSStreamSocketSecurityLevelNegotiatedSSL forKey:
NSStreamSocketSecurityLevelKey];
Are you sure that both of these properties need to be set? Have you
tried one without the other?
—Jens
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden