> On 14 Jan 2016, at 12:12, Norbert Hartl <norb...@hartl.name> wrote:
>
>>
>> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <s...@stfx.eu>:
>>
>> Given a ZdcSecureSocketStream you can access the #sslSession. In this
>> session object you can use #certificateName: to set the path or name of the
>> certificate (before you #connect !). That is the general idea.
>>
>> Now, I don't know if this works or not. Be prepared to look in the plugin C
>> code! On Linux this will probably work.
>>
>> And please let us know how it goes ;-)
>>
>>> On 12 Jan 2016, at 16:05, Norbert Hartl <norb...@hartl.name> wrote:
>>>
>>> Is there a way to make SSL connections to the outside world using client
>>> certificates from pharo?
>>>
>
> There were some issues with certificates. I tested a lot but did an error on
> the way. Now I did everything again like creating certificates etc. I could
> establish a connection from a linux machine. At least it doesn't signal
> anything an tells it is connected.
So that *is* good news ! If you could share more details, that might help
others as well.
> On Mac OS it does not work.
Have you seen the C source code of the Mac SSL Plugin ? It is written against
an API from Mac OS System 7, from before Mac OS X, that is an OS from last
century, ~199X. This is ancient, you won't find many developers who want to
work on that, nor does it make sense towards the future.
OpenSSL is also available standard on Mac OS X, the Linux plugin could just as
well be used there (give or take).
> I think it has something to do with the certificate authority. On linux the
> CA of the apple server is installed system wide. The SSL plugin code only
> looks for the certificate and the key but not for the CA. So under linux it
> finds it in the system but on Mac OS I couldn't do the same. I imported the
> CA in the keychain but openssl does not seem to find it there.
It is very simple why it does not work on Mac (like I said), it is just not
implemented !
Try finding where certName is used in sqMacSSL.c, there is a setter and getter,
but it is simply not used, so it can never work.
In sqUnixOpenSSL.c on the other hand, there is
/* if a cert is provided, use it */
if(ssl->certName) {
if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n",
ssl->certName);
if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName,
SSL_FILETYPE_PEM)<=0)
ERR_print_errors_fp(stderr);
if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName,
SSL_FILETYPE_PEM)<=0)
ERR_print_errors_fp(stderr);
}
Sven
> Norbert
