Re: Client-side SSL on iPhone?
Re: Client-side SSL on iPhone?
- Subject: Re: Client-side SSL on iPhone?
- From: Jens Alfke <email@hidden>
- Date: Sun, 12 Apr 2009 21:10:54 -0700
On Apr 12, 2009, at 9:29 AM, Fritz Anderson wrote: To clarify — is the undocumented property to be set on the server? So if I'm just writing a client, I don't have to worry about it?
I believe so (although it's been nearly a year since I figured that stuff out and wrote the code to use it.) And in the client, responding by presenting the certificate comes for free (net of installing it), just by being present on the Keychain?
No, on the client side you have to set the kCFStreamSSLCertificates property — it's documented; I think the value is supposed to be an array containing a SecIdentityRef followed optionally by supporting SecCertificateRefs. By the way — are client-side certs valid only for a particular IP/DNS address? Or are they basically expensive passwords?
It depends on how the server interprets them. It could check that the cert is valid for SSL and has a hostname that matches the address the client is connecting from. (I believe server-to-server connections in Jabber/XMPP do this, to mutually verify the two sides to each other.) But if the client side is more of a real client, it won't have a permanent hostname, so checking that doesn't make sense.
The cert doesn't have to be expensive, btw. It could be a self-signed cert that's already known to the server; or the server could create its own cert authority and sign certs for clients. Either option is free and can be done with tools that already come with OS X and Linux.
—Jens |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden