Re: Using SSL with NSStream on a iOS <-> Mac connection
Re: Using SSL with NSStream on a iOS <-> Mac connection
- Subject: Re: Using SSL with NSStream on a iOS <-> Mac connection
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Thu, 14 Feb 2013 10:49:23 +0000
On 13 Feb 2013, at 12:18, David Hoerl <email@hidden> wrote:
> Basically, I took the code snippets in the Stream Programming Guide / Networking Overview / Networking Programming Topics, and got the bare bones client / server to work just fine.
>
> But when I tried to enable SSL on the connect, it does not work as before. The connection works, but then some chunk of data, 193 bytes in length, shows up at the server side. I've been digging for hours trying to find some example code, or some additional information, on how to make SSL work over streams.
>
> Can it be done?
Yes. The trick is as follows:
o On the client side you must enable TLS in one of two ways. If you're using NSStream you can set the NSStreamSocketSecurityLevelKey property to the value NSStreamSocketSecurityLevelNegotiatedSSL. You can also do this by setting CFSocketStream properties, as I'll discuss below, and you may need to do this if you want to set any non-obvious properties.
o On the server side you must use CFSocketStream properties to enable TLS. Remember that NSStream and CFStream are toll-free bridged, so you can set CFSocketStream properties on your NSStream. Also, keep in mind that the input and output streams are paired, so you only need to set the properties on one or the other.
The specific CFSocketStream property you need to set is kCFStreamPropertySSLSettings. You have to this to a dictionary containing:
- kCFStreamSSLCertificates, which must be an array that, at a minimum, contains a single SecIdentityRef
- kCFStreamSSLIsServer, which must be kCFBooleanTrue
So, for example:
SecIdentityRef myServerIdentity;
... set up myServerIdentity ...
success = [inputStream setProperty:
@[
(__bridge NSString *) kCFStreamSSLCertificates : (__bridge id) myServerIdentity,
(__bridge NSString *) kCFStreamSSLIsServer : (__bridge id) kCFBooleanTrue,
],
forKey:(__bridge NSString *) kCFStreamPropertySSLSettings
];
IMPORTANT: The above was typed into a text editor. I've not even compiled it!
Note: The above assumes you're using ARC and uses the new Objective-C literal syntax.
o After that you have to worry about identity management. If your server has a well-known DNS address, you can have a certificate authority create an identity for it and things are easy: you can import the identity on the server and then apply it as shown above. If you're trying to use TLS peer-to-peer, things get significantly trickier. Let me know if that's the case and I can walk you through the details.
Finally, if you haven't already done so, you should read Technote 2232 "HTTPS Server Trust Evaluation" and the TLS parts of Technote 2152 "Document Transfer Strategies".
<https://developer.apple.com/library/ios/#technotes/tn2232/_index.html>
<https://developer.apple.com/library/ios/#technotes/tn2152/_index.html>
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden