Re: Client-side SSL on iPhone?
Re: Client-side SSL on iPhone?
- Subject: Re: Client-side SSL on iPhone?
- From: Jens Alfke <email@hidden>
- Date: Sun, 12 Apr 2009 00:13:10 -0700
On Apr 11, 2009, at 5:25 PM, Fritz Anderson wrote: Yes, I mean client-side certs. I'm sorry of I wasn't clear. I need to support them for a particular application (the provider wants to be _really_ sure of the authenticity of the client).
There is an (undocumented) CFStream property that you can set to enable client-side cert checking. Since it's not defined in a header, you have to declare it yourself as an extern: extern const CFStringRef _kCFStreamPropertySSLClientSideAuthentication; // in CFNetwork The value for this is an SSLAuthenticate constant wrapped in a CFNumber. IIRC, you set this on the server/listener side, most likely to kAlwaysAuthenticate. This will cause the server to ask the client to send its signature during the negotiation. On the client side, you just have to supply a cert by setting the (documented) kCFStreamSSLCertificates property.
If you want to see code that uses these, take a look at my MYNetwork library. This implements general-purpose Objective-C classes for client and server sockets, including SSL support.
Of course, getting an X.509 client cert on an iPhone is itself a problem. You can't generate one on the device, unfortunately, so you'll have to download an existing one as an encrypted .p12 file and then ask the user for a passphrase to decode it and import it into the keychain. (I'm working on a MYCrypto library for doing this sort of stuff.)
—Jens |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden