• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: iOS server and client trusts
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iOS server and client trusts

  • Subject: Re: iOS server and client trusts
  • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Date: Wed, 08 Oct 2014 09:59:06 +0100
On 7 Oct 2014, at 18:47, Rick Mann <email@hidden> wrote:

> Now, is there a super-straightforward example of how to do it?

Not really, no.

> Sometimes Apple's sample code is far to complicated to make it easy to see just how to do a thing.

Yeah, I agree, AdvancedURLConnections is way too complex.

Writing sample code involves a lot of trade-offs.  If you make it too simple, it doesn't exercise real world issues.  If you make it too complex, it's hard to understand.  I definitely erred on the "too complex" side of things with AdvancedURLConnections.  Alas, I haven't had a chance to go back and revisit that issue.

                   *                   *                   *

With regards handling both server trust and client identity authentication challenges, this should be a relatively straightforward composition of the two techniques.  Technote 2232 "HTTPS Server Trust Evaluation" covers the server trust part of the equation in some detail.

<https://developer.apple.com/library/ios/#technotes/tn2232/_index.html>

The client identity part is trickier, not because the network code is harder but because of the identity management side of things.  You have to find a way to access the client identity.  Once you have that--specifically, a SecIdentityRef--handling a client identity authentication challenge is very simple: you create a credential with the identity and resolve the chalenge with that credential.

With regards creating your SecIdentityRef, the best approach is platform dependent.  Are you working on iOS or OS X?

Finally, looking at the code snippet you posted it seems that you're planning to bundle the client identity in your app.  That's /really/ not very secure.  Client identities, like any other credential, should be issued per user.

Share and Enjoy
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >iOS server and client trusts (From: Terra Serena Fiber <email@hidden>)
 >Re: iOS server and client trusts (From: "Quinn \"The Eskimo!\"" <email@hidden>)
 >Re: iOS server and client trusts (From: Rick Mann <email@hidden>)

  • Prev by Date: Re: iOS server and client trusts
  • Next by Date: "CFNetwork SSLHandshake failed (-9800)" with TLS 1.1 or 1.2
  • Previous by thread: Re: iOS server and client trusts
  • Next by thread: "CFNetwork SSLHandshake failed (-9800)" with TLS 1.1 or 1.2
  • Index(es):
    • Date
    • Thread