On Aug 30, 2015, at 1:29 PM, Motti Shneor < email@hidden> wrote:
However - I do not understand if I still need to encrypt the messages myself, or whether ::CFWriteStreamWrite() (or its bridged [_outputStream write:maxLength:] counterpart) should do it for me, when running with ATS around? and If I need to do the encryption myself, What Cocoa/Cocoa-touch APIs do I need to call to do this, in order to use the ATS recommended encryption?
Just use the standard CFStream APIs to enable SSL. In a nutshell, you do this by setting the stream property kCFStreamPropertySSLSettings to a dictionary containing the specific settings. Once you do that, it’s all transparent: just open the streams and send/receive data.
CFSocketStream.h declares all the necessary constants, with doc-comments, and I know Apple’s documentation explains in detail how to do all this, though I don’t have any URLs handy.
(At a lower level you can use the SecureTransport API to do the SSL handshake and encryption explicitly, although it’s a lot more complex so I don’t think you’d want to, unless for some reason it makes it easier to replace your old SSL implementation.)
I could not find any sample code with CFNetwork only APIs that implements ATS connections over TCP Don’t search for “ATS”, just search for “SSL"; the APIs for this have been around as long as OS X. There’s no programmatic API to ATS; the only change is that SSL is now required by default, and that there are some Info.plist keys to opt out of some of the requirements.
—Jens |