> Am 14.01.2016 um 12:42 schrieb Sven Van Caekenberghe <s...@stfx.eu>:
>
>>
>> On 14 Jan 2016, at 12:12, Norbert Hartl <norb...@hartl.name> wrote:
>>
>>>
>>> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <s...@stfx.eu>:
>>>
>>> Given a ZdcSecureSocketStream you can access the #sslSession. In this
>>> session object you can use #certificateName: to set the path or name of the
>>> certificate (before you #connect !). That is the general idea.
>>>
>>> Now, I don't know if this works or not. Be prepared to look in the plugin C
>>> code! On Linux this will probably work.
>>>
>>> And please let us know how it goes ;-)
>>>
>>>> On 12 Jan 2016, at 16:05, Norbert Hartl <norb...@hartl.name> wrote:
>>>>
>>>> Is there a way to make SSL connections to the outside world using client
>>>> certificates from pharo?
>>>>
>>
>> There were some issues with certificates. I tested a lot but did an error on
>> the way. Now I did everything again like creating certificates etc. I could
>> establish a connection from a linux machine. At least it doesn't signal
>> anything an tells it is connected.
>
> So that *is* good news ! If you could share more details, that might help
> others as well.
I'm on it :)
>
>> On Mac OS it does not work.
>
> Have you seen the C source code of the Mac SSL Plugin ? It is written against
> an API from Mac OS System 7, from before Mac OS X, that is an OS from last
> century, ~199X. This is ancient, you won't find many developers who want to
> work on that, nor does it make sense towards the future.
>
> OpenSSL is also available standard on Mac OS X, the Linux plugin could just
> as well be used there (give or take).
>
>> I think it has something to do with the certificate authority. On linux the
>> CA of the apple server is installed system wide. The SSL plugin code only
>> looks for the certificate and the key but not for the CA. So under linux it
>> finds it in the system but on Mac OS I couldn't do the same. I imported the
>> CA in the keychain but openssl does not seem to find it there.
>
> It is very simple why it does not work on Mac (like I said), it is just not
> implemented !
>
> Try finding where certName is used in sqMacSSL.c, there is a setter and
> getter, but it is simply not used, so it can never work.
>
> In sqUnixOpenSSL.c on the other hand, there is
>
> /* if a cert is provided, use it */
> if(ssl->certName) {
> if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n",
> ssl->certName);
> if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName,
> SSL_FILETYPE_PEM)<=0)
> ERR_print_errors_fp(stderr);
>
> if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName,
> SSL_FILETYPE_PEM)<=0)
> ERR_print_errors_fp(stderr);
> }
>
Oops I was only looking at the unix code assuming it would be used for Mac OS
as well. In the Mac code there is
/* Disable cert verification since we do that ourselves */
status = SSLSetEnableCertVerify(ssl->ctx, false);
I don't understand the comment. But reading it I think this would "solve" the
problem as well :)
Norbert
