• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: SSL and manual peer-name validation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL and manual peer-name validation

  • Subject: Re: SSL and manual peer-name validation
  • From: Jens Alfke <email@hidden>
  • Date: Fri, 14 Nov 2008 14:36:24 -0800
[+macnetworkprog, -apple-cdsa]

As part of some SSL validity checking, I want to get the SecureTransport handle, or its SecTrustRef, from a CFStream. But I don't see any public API for doing so. Is there any way?

My current workaround is to get the SecCertificateRefs, which there is API for, and then use CDSA calls to grope through the X509 structures. It's messy and discouraged (see below.)

—Jens

On Nov 14, 2008, at 2:07 PM, Perry The Cynic wrote:

On Nov 14, 2008, at 1:28 PM, Jens Alfke wrote:

I'm modifying some open-source code that makes SSL connections using CFStream. I need to get this code to accept more than one valid peer name in the server's cert. Unfortunately the kCFStreamSSLPeerName property only allows me to specify a single name.

The way I'm working around this is to not set that property, but instead wait till the SSL handshake succeeds, and then extract the subject name from the peer cert and manually compare it against the valid names.

The canonical Mac Way to do this is to extract the SecTrustRef from the SecureTransport handle (which you got from the stream, presumably) and then run suitable validations directly on the SecTrustRef.

I'd like to make sure that I'm getting the subject name correctly. The code I've written is below: the key part is the getCertNameString function, which is passed the subject name (from SecCertificateGetSubject) and returns the actual common name as an NSString.

The official algorithm is "interesting" in a lot of ways, and I don't advise you trying to duplicate it. You're much better off trying one name at a time, using the normal validation path.

Cheers
 -- perry

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




    

  • Prev by Date:
Re: Get network paarmeters

    • 

  • Next by Date:
Re: SOAP request faultcode 65794 (stream error)

    • 

  • Previous by thread:
IPV6 Only networking

    • 

  • Next by thread:
Getting mbuf length

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •