Re: SSL and manual peer-name validation
Re: SSL and manual peer-name validation
- Subject: Re: SSL and manual peer-name validation
- From: Jens Alfke <email@hidden>
- Date: Fri, 14 Nov 2008 14:36:24 -0800
[+macnetworkprog, -apple-cdsa]
As part of some SSL validity checking, I want to get the
SecureTransport handle, or its SecTrustRef, from a CFStream. But I
don't see any public API for doing so. Is there any way?
My current workaround is to get the SecCertificateRefs, which there is
API for, and then use CDSA calls to grope through the X509 structures.
It's messy and discouraged (see below.)
—Jens
On Nov 14, 2008, at 2:07 PM, Perry The Cynic wrote:
On Nov 14, 2008, at 1:28 PM, Jens Alfke wrote:
I'm modifying some open-source code that makes SSL connections
using CFStream. I need to get this code to accept more than one
valid peer name in the server's cert. Unfortunately the
kCFStreamSSLPeerName property only allows me to specify a single
name.
The way I'm working around this is to not set that property, but
instead wait till the SSL handshake succeeds, and then extract the
subject name from the peer cert and manually compare it against the
valid names.
The canonical Mac Way to do this is to extract the SecTrustRef from
the SecureTransport handle (which you got from the stream,
presumably) and then run suitable validations directly on the
SecTrustRef.
I'd like to make sure that I'm getting the subject name correctly.
The code I've written is below: the key part is the
getCertNameString function, which is passed the subject name (from
SecCertificateGetSubject) and returns the actual common name as an
NSString.
The official algorithm is "interesting" in a lot of ways, and I
don't advise you trying to duplicate it. You're much better off
trying one name at a time, using the normal validation path.
Cheers
-- perry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden