• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
SecureTransport: having trouble handling optional client certificate
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SecureTransport: having trouble handling optional client certificate

  • Subject: SecureTransport: having trouble handling optional client certificate
  • From: Jens Alfke <email@hidden>
  • Date: Fri, 26 Jun 2015 13:57:11 -0700
TL;DR: I’m in the middle of an SSL server-side handshake right after peer auth has completed, and I’m trying to detect whether or not the peer (client) provided a cert. I thought SSLGetClientCertificateState would be the answer, but it always returns kSSLClientCertNone whether or not there is a cert. How do I do this correctly?

Longer explanation:

I’m adding SSL *client* cert support to a server implementation that uses existing library (GCDAsyncSocket) based on SecureTransport. It’s working fine for the case where the client cert is required (setting the ClientSideAuthenticate property to kAlwaysAuthenticate), but I’m having trouble when the client cert should be optional (kTryAuthenticate): the handshake fails if the client doesn’t provide a cert.

The problem occurs while I’m checking the trust of the cert — to do custom cert checking, the code turns off automatic cert verification using code very much like that shown in the doc-comment for SSLSetAllowsExpiredCerts, i.e. I’m handling the case where SSLHandshake returns errSSLPeerAuthCompleted.

At this point the existing code calls SSLCopyPeerTrust, which of course fails (with -9808, errSSLBadCert) since the peer/client didn’t provide any cert. This error causes the library to abort and close the socket. So my task is to detect whether or not the client provided a cert.

My first attempt was to call SSLGetClientCertificateState and look at the output state. Unfortunately the state comes back as kSSLClientCertNone whether or not there is a cert. (And the function return is noErr, so it didn’t fail.) This seems wrong to me, especially since the function’s docs say it “can be called any time”.

So … how am I supposed to do this? Should I just interpret the errSSLBadCert return from SSLCopyPeerTrust as meaning “there’s no cert”, and continue?

—Jens

PS: This is running on OS X 10.10.4. Have not tried iOS yet, but this same code needs to support iOS 7+.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: Lack of CFStream constants for specifying TLS 1.2
  • Next by Date: Does CFHTTPMessageAddAuthentication support digest auth?
  • Previous by thread: Re: Lack of CFStream constants for specifying TLS 1.2
  • Next by thread: Does CFHTTPMessageAddAuthentication support digest auth?
  • Index(es):
    • Date
    • Thread