Re: Getting a server to trust the client. (iOS)
Re: Getting a server to trust the client. (iOS)
- Subject: Re: Getting a server to trust the client. (iOS)
- From: Jens Alfke <email@hidden>
- Date: Mon, 22 Jun 2015 09:24:54 -0700
> On Jun 22, 2015, at 6:43 AM, Alex Zavatone <email@hidden> wrote:
>
> We're all familiar with using a SSL cert to get a client to trust a server, but we're looking at is getting a server to trust that a trusted client is allowed to access it.
Yup, that’s SSL (or TLS) client certificate authentication. It’s supported, just not commonly used.
What type of network connection do you use? At the HTTP level, your NSURL{Connection/Session} delegate will get an auth challenge and the protection space’s type will be NSURLAuthenticationMethodClientCertificate. At the {NS/CF}Stream level, you need to configure the stream’s TLS settings to specify the client cert to use.
> I was thinking of embedding an SSL cert within the iOS app and validating against that, but I'm sort of lost on a way to start.
This is where things get tricky. You don’t just need a certificate, you also need the private key — since you’re authenticating, you need a secret that you can prove you have. The combination of the two is called an “identity” by the Security framework, and it’s this identity that you specify when you make a client-authenticated SSL connection.
There are two basic paths:
(a) On first launch your app creates a key-pair, puts the public key in a certificate request, and sends that to the server, which signs the cert and sends it back to you. Of course the server has to authenticate your request somehow. Then on subsequent connections the app sends that client cert, and the server checks that its CA signed it.
(b) On first launch your app creates a key-pair, makes a self-signed cert with it, and sends that cert to the server (through some authenticated channel.) The server keeps a copy of that cert. Then on subsequent connections the server verifies that your cert is the same one that it’s got on file.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden