Re: Newbie SSL Question.
Re: Newbie SSL Question.
- Subject: Re: Newbie SSL Question.
- From: Wade Tregaskis <email@hidden>
- Date: Mon, 29 Mar 2004 19:01:21 +1000
This is a very simple question, I'm sure, but do the SecureTransport
APIs have server-side functionality built in, or is it just
client-side?
Yes. In fact, until Panther I'm not sure the code to authenticate
clients was actually implemented (it may not be even now, although I
think I read somewhere it's at least mostly done).
I am trying to make a Cocoa class that uses SSL to securely transmit
via a CFWriteStream and a CFReadStream. I open both an instance of
each class, set up an SSL context for each end with one as server, one
as a client, set up the I/O functions, and call SSLHandshake()
client-side. The client gives up looking for data after two or three
attempts, returning -9800, a protocol error. (For a while I tried
calling SSLHandshake() server-side, too. I think this is not the
idea...)
You will need to call SSLHandshake at both ends, until it returns 0 (as
opposed to an error or handshake incomplete).
Your server needs to have an identity set for it, which you haven't
mentioned above. That's probably why it's not working.
What I'm massively confused by is the fact that SSLNewContext() takes
a Boolean value isServer as its first argument, but I have no idea to
use the API server-side. I'm assuming the functionality is there? Do I
have to fetch a certificate from the user's keychain and send it back
manually to finish the handshake?
Not manually - there's a method or function somewhere-or-rather to set
a server connection's identity (certificate + private key). You'll
need to use that.
It doesn't matter that any certificate be verified by a third party: I
just need the data encrypted so that it cannot be intercepted in
between. Is there any way to use the SecureTransport API to accomplish
this, or am I missing the point?
You can do this - provided the certificate you provide from your server
can be trusted by the client (i.e. you'll have to either use a trusted
CA-signed certificate for your server, or add your server's certificate
issuer to the client's list of trusted roots - this can be done
globally or on a per-connection basis; you'll probably want the later).
I think in Panther there is support for Diffie-Hellman (or whatever)
key exchange, i.e. anonymous key exchange not requiring much in the way
of pre-configured certs & trust. But I haven't investigated this
myself yet; under 10.2 you had to manage all the trust issues yourself.
Wade Tregaskis
-- Sed quis custodiet ipsos custodes?
P.S. This sort of question is better suited for the Apple CDSA mailing
list, where Apple's security developers hang out. If my reply isn't
satisfactory, you can try posting there. But check the list archives
first - I'm pretty sure I've seen this sort of question before.
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.