Hello Quinn (any Yulia, my colleague :)
I’ll add a few missing details.
We write iOS and Mac conferencing clients that work against a pretty old server. Protocol is binary, proprietary. We always use secure socket connection - up till now SSL3 now TLS 1.2.
Our current implementation DOES go through HTTP proxy (only where needed, of course) , using HTTP tunneling (yes, the CONNECT method), but the hand-written proxy negotiation is not so good, and it only supports simple authentications.
As we lately reverted to use the OS native SSL implementation, via higher-level APIs, we suddenly lost our Proxy support - because the CFSocketStream won’t attempt to go through Web proxy (or Secure Web proxy).
We are looking for ways to use the machinery already in the OS for establishing our secure connection (tunnel) with the server, then continue with our proprietary protocol.
This HTTP tunneling via web-proxy is not strictly by-the-book, but is pretty much the only method to do conferencing in big corporates with very restrictive IT, and has been used by many programs for the last 15 years.
So -
1. Is there a way to start the negotiation and open the connection to the server using CFHTTPStream, then “rewrap” the bsd socket with a CFSocketStream and continue on?
2. Otherwise - is there a lower-level API we can employ for just the Proxy authentication and negotiation ?
On 2 Dec 2015, at 07:41, Yulia Bensman <email@hidden> wrote:
I am on Mac OS (10.10.5 if it matters), and I am trying to use HTTP/HTTPS proxy.
That won't work. This isn't a limitation of the system, but rather a limitation of the on-the-wire protocol. HTTP proxies don't allow support arbitrary TCP connections [1].
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
[1] Technically this is possible, via the CONNECT method, but most proxies only support that in the context of HTTPS.
------------------------------
Message: 5
Date: Wed, 02 Dec 2015 10:18:00 +0000
From: "Quinn \"The Eskimo!\"" <email@hidden>
To: Kevin Yu <email@hidden>
Cc: email@hidden
Subject: Re: How to use NWTCPConnectionAuthenticationDelegate for self
signed certificate
Message-ID: <email@hidden>
Content-Type: text/plain; charset=utf-8
On 2 Dec 2015, at 02:14, Kevin Yu <email@hidden> wrote:
I’ve tried with no luck
What does "no luck" mean? Were you unable to create the trust object? Or did its evaluation fail?
here’s my code, any suggestion?
The first step is to /not/ ignore the errors you get back from Security framework rotuines like SecTrustCreateWithCertificates and SecTrustEvaluate.
Next, if trust evaluation is failing, you can print the result of SecTrustCopyProperties and SecTrustCopyResult to get an understanding as to why it's failing.
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
------------------------------
Message: 6
Date: Wed, 02 Dec 2015 10:24:48 +0000
From: "Quinn \"The Eskimo!\"" <email@hidden>
To: Mac Network Programming <email@hidden>
Subject: Re: What happens when an NSURLSessionTask is canceled?
Message-ID: <email@hidden>
Content-Type: text/plain; charset=us-ascii
On 2 Dec 2015, at 03:45, Rick Mann <email@hidden> wrote:
What happens when an NSURLSessionTask is canceled? Does its callback or delegate get called with an error indicating it was canceled?
Yes. This is clearly documented. Oh wait, it's not. That sucks. My apologies.
Let's try again...
This is clearly described by a comment in the <Foundation/NSURLSession.h>:
-cancel returns immediately, but marks a task as being canceled. The
task will signal -URLSession:task:didCompleteWithError: with an
error value of { NSURLErrorDomain, NSURLErrorCancelled }. In some
cases, the task may signal other work before it acknowledges the
cancelation. -cancel may be sent to a task that has been suspended.
I've filed a bug to get the docs in sync with the headers <rdar://problem/23721558>.
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
------------------------------
Message: 7
Date: Wed, 02 Dec 2015 09:12:36 -0800
From: Jens Alfke <email@hidden>
To: Quinn The Eskimo! <email@hidden>
Cc: "email@hidden" <email@hidden>
Subject: Re: Problem with connection via Proxy using CFNetwork in TCP
stream
Message-ID: <email@hidden>
Content-Type: text/plain; charset="utf-8"
On Dec 2, 2015, at 2:14 AM, Quinn The Eskimo! <email@hidden> wrote:
That won't work. This isn't a limitation of the system, but rather a limitation of the on-the-wire protocol. HTTP proxies don't allow support arbitrary TCP connections [1].
Although they should allow the use of the Upgrade: header to let a connection begin as HTTP and then switch to a different TCP-based protocol. (This is how WebSocket connections are established.)
—Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.apple.com/mailman/private/macnetworkprog/attachments/20151202/a4e104d7/attachment.html>
------------------------------
Message: 8
Date: Wed, 02 Dec 2015 18:22:06 +0000
From: "Quinn \"The Eskimo!\"" <email@hidden>
To: "email@hidden" <email@hidden>
Subject: Re: Problem with connection via Proxy using CFNetwork in TCP
stream
Message-ID: <email@hidden>
Content-Type: text/plain; charset=us-ascii
On 2 Dec 2015, at 17:12, Jens Alfke <email@hidden> wrote:
Although they should allow the use of the Upgrade: header to let a connection begin as HTTP and then switch to a different TCP-based protocol. (This is how WebSocket connections are established.)
Right. If you switch to WebSocket then this should be feasible (although you'll have to write your own WebSocket code 'cause we don't have an API for it)-: However, if you're implementing a custom protocol on top of TLS on top of TCP then I don't think there's any reliably way to get through an HTTP proxy.
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
------------------------------
_______________________________________________
Macnetworkprog mailing list
email@hidden
https://lists.apple.com/mailman/listinfo/macnetworkprog
End of Macnetworkprog Digest, Vol 12, Issue 109
***********************************************
Motti Shneor,
CEO, suMac LTD.
Software Development for the Macintosh
Home/Office Address: 34 Emek-Ha-Ella St. Appt.1 Modiin, ISRAEL, 71723
Home/Office Tel/Fax: +972-8-9267730
Home eMail: email@hidden
Office eMail: email@hidden
Mobile phone: +972-54-3136621
---
ceterum censeo microsoftiem delendam esse
---
Motti Shneor, CEO, suMac LTD. Software Development for the Macintosh
Home/Office Address: 34 Emek-Ha-Ella St. Appt.1 Modiin, ISRAEL, 71723 Home/Office Tel/Fax: +972-8-9267730
Office eMail: email@hiddenMobile phone: +972-54-3136621
--- ceterum censeo microsoftiem delendam esse ---
|