By adding to the kCFStreamPropertySSLSettings dictionary the usual kCFStreamSSLValidatesCertificateChain, kCFStreamSSLAllowsAnyRoot, etc - I can make server & client authentication work.
However I fail to see how I can get this more fine grained; i.e.
- detect a cert of server/CA never seen - and escalate acceptance up to the user.
- valid开发者_如何学Goate a cert of the server I am connected to against a narrow trust list (e.g. the cert learned about during a previous connect).
I.e. what I am looking for is 1) something like the SSLSetTrustedRoots() on MacOSX and 2) something like the error/domain callbacks in kCFStreamErrorDomainSSL (e.g. errSSLPeerCertUnknown) - none which seems defined/accesible on the ipad/iphone 4.2.1.
Or am I missing something ? Or do I need to do something explicit on the callback ? Examples appreciated (the AdvancedURLConnections example is not quite applicable - I have a raw (IRC) socket).
Thanks,
Dw.
Set kCFStreamSSLValidatesCertificateChain to kBooleanFalse and manually verify the cert with the APIs.
Specifically, use
SecTrustCreateWithCertificates
with the certificates you get from
CFReadStreamCopyProperty(readStream, kCFStreamPropertySSLPeerCertificates);
Then, you can use
SecTrustSetAnchorCertificates
and finally call
SecTrustEvaluate
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论