Re: using kCFStreamPropertySSLSettings for CFStreams on 10.4
Re: using kCFStreamPropertySSLSettings for CFStreams on 10.4
- Subject: Re: using kCFStreamPropertySSLSettings for CFStreams on 10.4
- From: Jeremy Wyld <email@hidden>
- Date: Fri, 22 Jul 2005 09:07:51 -0700
On Jul 21, 2005, at 6:59 PM, Greg Robbins wrote:
I'm using a CFReadStream for an http POST. It works fine, but will
fail with a server that has an expired certificate; my callback
gets message kCFStreamEventErrorOccurred with the error -9814,
errSSLCertExpired.
Tiger offers some properties to work around this, so I'm trying to
set them:
sslDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (sslDict)
{
CFDictionaryAddValue(sslDict, kCFStreamSSLAllowsExpiredCertificates,
kCFBooleanTrue);
CFDictionaryAddValue(sslDict, kCFStreamSSLAllowsExpiredRoots,
kCFBooleanTrue);
CFReadStreamSetProperty(m_activeStream,
kCFStreamPropertySSLSettings,
sslDict);
}
This all looks fine.
However, adding that to my active CFReadStream prior to opening the
stream causes all reads to fail, even non-SSL reads, with my
callback getting the kCFStreamEventErrorOccurred message and error
-9800, errSSLProtocol.
The bit about "even non-SSL reads" doesn't make sense. Once you set
the property for SSL, the stream is only SSL. Could it be that the
protocol you are using is not yet ready for SSL? As soon as the
property is set, the stream is talking SSL from that point onward.
If the other side isn't prepared for that situation and it's sending
bytes that are not part of the SSL stream, you'll get the protocol
error.
Even if I don't add values to the dictionary and use
CFReadStreamSetProperty to set the ssl settings property to be the
empty dictionary, I get errSSLProtocol on all attempts to read from
the stream, even for non-SSL reads.
Is there something else needed to ignore bad SSL certs with
CFStreams, or is there some example code that shows how to use
kCFStreamPropertySSLSettings?
Are there other ways under Panther or Tiger to do SSL network
operations on servers with bad certificates without dropping down
to sockets for the networking?
You can always use SecureTransport directly. To use it, you simply
provide I/O functions and perform a few calls. It makes SSL rather
easy.
jeremy
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden