Re: SSL websocket server, part two
Re: SSL websocket server, part two
- Subject: Re: SSL websocket server, part two
- From: Mitchell Laurren-Ring <email@hidden>
- Date: Tue, 11 Nov 2014 17:53:20 -0800
On Nov 11, 2014, at 1:45 AM, Quinn The Eskimo! <email@hidden> wrote:
>
> On 11 Nov 2014, at 01:40, Mitchell Laurren-Ring <email@hidden> wrote:
>
>> It looks to me like the client’s SSL stack is ending the conversation early by setting the FIN flag in step #7. Is that a correct conclusion?
>
> Yes, but the weird part is that, at the time it initiates the disconnect (packet 7), the client hasn't received any actual data from the server. Normally, if the client is going to drop a connection like this, it does so /after/ receiving some data from the server (like the Server Hello) but in this case the client is dropping the connection before receiving any data.
>
> What does the timing look like here? Perhaps the client is failing because the server hasn't responded quickly enough?
>
I think you’re on to something here. It takes almost 5 seconds for the server to send “Server Hello” after the “Client Hello” is received. Most of this delay is caused by the call I make to SecTrustEvaluate at the start of the connection. I realize this is not optimal for performance, but assuming that it is a requirement to load the SecIdentityRef at the start of each connection, is SecTrustEvaluate necessary? Here’s roughly how my code looks:
SecTrustCreateWithCertificates
SecTrustEvaluate
SecTrustGetResult
SecIdentityCreateWithCertificate
SecTrustEvaluate seems to have the side effect of retrieving the CA certificates for my certificate, which is retrieved from another server when a connection is started. It seems like I should just be able to call SecIdentityCreateWithCertificate, but if I skip the first 3 functions, I get errSSLBadConfiguration from SSLHandshake. In Wireshark, I can see that the server is sending an SSL Alert after the Client Hello.
Is there a better way to create an identity from certificate and key data in memory?
/Mick
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden