Re: Question: is it possible to open a client-server socket in "clear" mode, and then transition that connection to SSL?
Re: Question: is it possible to open a client-server socket in "clear" mode, and then transition that connection to SSL?
- Subject: Re: Question: is it possible to open a client-server socket in "clear" mode, and then transition that connection to SSL?
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Tue, 19 Jun 2012 09:16:35 -0700
On 18 Jun 2012, at 13:12, email@hidden wrote:
> I'm in a situation where a client opens an initial socket communication to the server. A brief exchange of un-encoded messages is sent, which directs both sides to use a new protocol which utilizes SSL to encode the rest of the sessions messages. Is it legitimate to transition from TCP_CLEAR to SSL_ANON once the connection is made?
This process is known as STARTTLS [1] and it's supported by CFSocketStream. The way to make this work is to start with a security level (NSStreamSocketSecurityLevelKey) of NSStreamSocketSecurityLevelNone and, after both ends have decided to start TLS, change the security level to NSStreamSocketSecurityLevelNegotiatedSSL (or whatever TLS level you want). You can do equivalent things with the CFSocketStream properties.
This definitely works. It's used by various apps built in to our platforms (most notably Mail) and I've tested it myself.
It's currently not possible to go the other way (that is, downgrade from TLS back to a raw TCP connection).
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
[1] <http://en.wikipedia.org/wiki/STARTTLS>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden