Fix for self-signed client certificates on iOS 5 (alternate) #314
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ttings) so that disabling SSL certificate verification and adding an SSL client certificate are not mutually exclusive 2.) Add option to specify an SSL CA Certificate to use instead of the normal root certificates for verifying a server certificate. Note that this isn't handled in an ideal fashion - certificate verification is completely disabled for the initial handshake, then manually checked on the first read event (i.e., when handleNetworkEvent gets a kCFStreamEventHasBytesAvailable event). I was unable to succeed at other methods of adding a root CA certificate (adding it to the keychain, altering the ssl context).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1.) Restructure handling of ssl options (i.e., kCFStreamPropertySSLSettings) so that disabling SSL certificate verification and adding an SSL client certificate are not mutually exclusive. Also removed several settings which appear unneeded to successfully use a self-signed certificate / a certificate using a self generated CA based on my testing; further context on the necessity of these options (kCFStreamSSLAllowsExpiredCertificates, kCFStreamSSLAllowsAnyRoot, setting kCFStreamSSLPeerName to kCFNull) would be useful.
2.) Add option to specify an SSL CA Certificate to use instead of the normal root certificates for verifying a server certificate. Note that this isn't handled in an ideal fashion - certificate verification is completely disabled for the initial handshake, then manually checked on the first read event (i.e., when handleNetworkEvent gets a kCFStreamEventHasBytesAvailable event). I was unable to succeed at other methods of adding a root CA certificate (adding it to the keychain, altering the ssl context)
FYI, this is my first time using github/submitting, so feedback is welcome.