Client certificate extraction out of SSL/TLS Connection on server side

Wed, 14 May 2014 23:01:28 -0700 

Hey Developers,


I am currently writing an client and a server that are communicating via 
SSL/TLS. Both of them have self signed certificates. The connection works fine 
and as far as I checked the traffic is encrypted. Now I want to extract the 
certificates from the working stream that are responsible for the creation of 
the security parameters during the SSL/TLS handshake.

I am working with CFReadStream and CFWriteStream and afterwards with 
NSInputStream and NSOutputStream. The SSL/TLS settings I am using are the 
following:

———————8<——————————————
 NSDictionary    *settings  = @{(NSString 
*)kCFStreamPropertyShouldCloseNativeSocket:    [NSNumber numberWithBool:YES],
                                (NSString 
*)kCFStreamSSLValidatesCertificateChain:       [NSNumber numberWithBool:NO],
                                (NSString 
*)kCFStreamSSLAllowsExpiredCertificates:       [NSNumber numberWithBool:YES],
                                (NSString *)kCFStreamSSLAllowsExpiredRoots:     
         [NSNumber numberWithBool:YES],
                                (NSString *)kCFStreamSSLAllowsAnyRoot:          
         [NSNumber numberWithBool:YES],
                                (NSString *)kCFStreamSSLCertificates:           
         certificates,
                                (NSString *)kCFStreamSSLIsServer:               
         [NSNumber numberWithBool:isServer],
                                (NSString *)kCFStreamSSLLevel:                  
         (NSString *)kCFStreamSocketSecurityLevelTLSv1};
—————>8————————————————


I do use the same certificate creation and SSL/TLS setup methods on both sides 
and the devices are the same but when I try to get a hold onto the trust like

———————8<——————————————
SecTrustRef peerTrust = outputStream 
propertyForKey:(NSString*)kCFStreamPropertySSLPeerTrust]);
—————>8————————————————

I am able to extract the server certificate on the clientside but on the server 
side the peerTrust is always NIL.  Although I included the client-certificate 
in the same way as I include the server certificate, but maybe that is the 
fault? Or do I have to set additional SSL/TLS properties in order to require a 
client side certificate in SSL/TLS.

Can somebody help me to figure out how to include the client side certificate 
in the SSL/TLS handshake and later extract it? Has somebody tried that lately?

Thanks in advance!
Bastian

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to