Apple

On 12 Apr 2009, at 2:13 AM, Jens Alfke wrote:

There is an (undocumented) CFStream property that you can set to enable client-side cert checking. Since it's not defined in a header, you have to declare it yourself as an extern:
extern const CFStringRef _kCFStreamPropertySSLClientSideAuthentication; // in CFNetwork
The value for this is an SSLAuthenticate constant wrapped in a CFNumber. IIRC, you set this on the server/listener side, most likely to kAlwaysAuthenticate. This will cause the server to ask the client to send its signature during the negotiation. On the client side, you just have to supply a cert by setting the (documented) kCFStreamSSLCertificates property.

If you want to see code that uses these, take a look at my MYNetwork library. This implements general-purpose Objective-C classes for client and server sockets, including SSL support.

Of course, getting an X.509 client cert on an iPhone is itself a problem. You can't generate one on the device, unfortunately, so you'll have to download an existing one as an encrypted .p12 file and then ask the user for a passphrase to decode it and import it into the keychain. (I'm working on a MYCrypto library for doing this sort of stuff.)

To clarify — is the undocumented property to be set on the server? So if I'm just writing a client, I don't have to worry about it? And in the client, responding by presenting the certificate comes for free (net of installing it), just by being present on the Keychain?

References:
	>Re: Client-side SSL on iPhone? (From: Ryan McGann <email@hidden>)
	>Re: Client-side SSL on iPhone? (From: Fritz Anderson <email@hidden>)
	>Re: Client-side SSL on iPhone? (From: Jens Alfke <email@hidden>)