Re: kCFStreamPropertySSLSettings
Re: kCFStreamPropertySSLSettings
- Subject: Re: kCFStreamPropertySSLSettings
- From: "Gerriet M. Denkmann" <email@hidden>
- Date: Sun, 24 Jul 2016 13:58:34 +0700
> On 23 Jul 2016, at 06:41, Jens Alfke <email@hidden> wrote:
>
>
>> On Jul 22, 2016, at 2:46 AM, Gerriet M. Denkmann <email@hidden> wrote:
>>
>> When it gets some streams it will show a panel:
>> “MyApp wants to sign using key “something” in your keychain” / “Allow” “Deny”
>
> Presumably this app is either acting as an SSL server, or is sending SSL clients.
It is acting as a server using NSStreams with TLS Security.
> Either of those roles involves signing data using the private key associated with the certificate, to prove you own it. If the app hasn’t previously used that private key, the Keychain will ask your permission to let the app use it. That’s the alert. Then it updates the key’s access control list to remember your app has access. But this access is (usually) invalidated when the app binary is modified, so you’ll (usually) see the alert again if you modify the app and run it again.
This might be a problem: in another app (using another certificate) I once clicked “Always Allow” and have since then rebuild and modified the server countless times, and never seen this panel again.
>
>> The problem: sometimes I do NOT get this panel, and the app behaves as if I had clicked “Deny”.
>
> Huh. Had you previously denied the alert?
I may have done so once (a long time ago) to see what the result would be. But since then, I always click on “Always Allow”.
> Maybe the security framework hasn’t noticed that the app changed and is still using the old Deny permission set before.
As I said: before 11.6 just quitting and rerunning the app fixed this issue. Now I have to go through some contortions: like running the debug version, then the release version; make some modifications; run it again; until it finally decides the show the magic panel.
>
>> Where is this info: < “MyApp is allowed to use key “something”> stored?
>
> In the Keychain item for that key. You can look at and modify the permissions in the Keychain Access app.
I looked at the certificate in the Keychain Access app: it tells me (under “Trust”) that:
When using this certificate: “Use System Defaults"
all other points: “no value specified”
But I cannot find any mention, which app has been allowed or denied access to this certificate.
Oh, I just found under Keys → Access Control:
“Confirm before allowing access” is checked.
“Always allow access by these applications:” lists:
Application-Group ???
racoon “racoon is used to setup and maintain an IPSec tunnel or transport channel, between two devices, over which network traffic is conveyed securely. “ maybe needed - I don’t know
Certificate Assitant.app (twice) looks reasonable (but why twice?)
Mail.app (what has Mail to do with my Streams? This does not look right)
My app several dozen times - hovering over an item one sees the path: DerivedData…Release (several) DerivedData…Debug (some), /Applications (ca. 10)
I copied my app to /tmp and ran it from there. It asked for permission to use the keychain (ok - “Always Allow”).
But I can find no mention of this copy of my app in the Keychain Access app.
Quit/Restart Keychain Access app fixed this.
Then copied my app to /tmp/Test and ran it. It did NOT ask for permission (but works fine).
Removed /tmp/MyApp from the list in Keychain app.
Restarted /tmp/Test/MyApp - now it asks for permission.
Removed all mentions of MyApp from the list in Keychain app (left just one with /Applications).
Started my app - it asked for permission - now Keychain app has two: MyApp (both in /Applications).
Something seems to be messed up.
Thanks for your help!
Kind regards,
Gerriet.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden