Re: CFNetwork and SSL Certificate Exceptions
Re: CFNetwork and SSL Certificate Exceptions
- Subject: Re: CFNetwork and SSL Certificate Exceptions
- From: Rich Siegel <email@hidden>
- Date: Mon, 12 Sep 2005 14:49:11 -0400
On 9/12/05 at 10:37 AM, Becky Willrich <email@hidden> wrote:
> > 1) From my (admittedly limited) exploration, it looks like
> > CFNetwork doesn't have any support for presenting a standard UI for
> > asking the user how to resolve certificate exceptions. (The
> > observed divergence in behavior between Apple Mail and Safari seems
> > to bear this out.) Is that correct, or have I missed something?
>
> That's correct; you haven't missed anything.
That's unfortunate, but I guess it's no worse than what I had before in
that respect.
In terms of presenting some basic certificate display, there appears to
be an NSCertificateView or something of that sort, which I think might
be what Safari uses, but there's nothing equivalent for Carbon that I
can find. Is that correct?
Basically, what I'm thinking of doing is, in the case of an untrusted or
expired root, remembering the root certificate's fingerprint in the
user's preferences rather than asking them every time. Unfortunately, I
can't find any APIs for digging into certificates - it looks like the
trail ends at SecCertificateRef.
Another possibility would be to, at the user's request, add the
certificate in question to the user's keychain. I've got no idea where
to start there, though.
Do either of these seem like reasonable strategies? If so, do you have
any suggestions on where to go to find user-displayable properties of
certificates?
> > 2) Since kCFStreamPropertySSLSettings is only supported on 10.4
> > and later, this tells me that I need to hand-roll my own SSL code
> > using Secure Transport, because my app needs to run on pre-10.4
> > systems (10.3.9, to be exact). This isn't the end of the world,
> > because I've done it once before, but I'm hoping that I can avoid
> > having to do it again. Is there a supported way to manage SSL
> > handshake options for a CFStream on 10.3.x?
>
> There is an older (less complete) API supported on 10.3.x; look in
> the headers for kCFStreamPropertySocketSecurityLevel. That will
> allow you to turn on SSL, but will not give you the configurability
> you can get with kCFStreamPropertySSLSettings.
That indeed appears to be the case. What I ended up doing was bringing
over my Secure Transport code and adapting it to work with basic
synchronous CFNetwork streams; this lets me do all of the SSL
certificate exception management myself, and works on 10.3.x and 10.4.x
as well.
Thanks again for the assist,
R.
--
Rich Siegel Bare Bones Software, Inc.
<email@hidden> <http://www.barebones.com/>
Someday I'll look back on all this and laugh... until they sedate me.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden