Am using Objective C for SSL read&write streams with self singled certificate.
However am not importing any certificate on to the device or system ,but still able to communicate with SSL server .
Please help me to understand ,how is this possible .
MacBook Pro 14″, macOS 12.0
Self-signed certificates are no different than commercially-signed certificates, save for the distribution of the root certificate public key. The root certificates for commercial certs are already loaded in most (~all) systems. The private certificates need their root certificates securely distributed and securely loaded. Once loaded, both paid and free types function identically.
As for your issue, it’s possible that the certificates selected for the connection are not the private certificates, or the certificate checks (of server from/on client, and of client from/on server) are not implemented or are miscoded.
There are various TLS frameworks available here too, and both integrated and add-on, and some are easier to code with than others.
Self-signed certificates are no different than commercially-signed certificates, save for the distribution of the root certificate public key. The root certificates for commercial certs are already loaded in most (~all) systems. The private certificates need their root certificates securely distributed and securely loaded. Once loaded, both paid and free types function identically.
As for your issue, it’s possible that the certificates selected for the connection are not the private certificates, or the certificate checks (of server from/on client, and of client from/on server) are not implemented or are miscoded.
There are various TLS frameworks available here too, and both integrated and add-on, and some are easier to code with than others.
You need to specify the certificate you want to identify with, and the certificate chain you want to reference on the recipient if it’s not already loaded,.
I’d encourage spending some time with TLS docs, as this stuff is Really Easy to mess up. Particularly on the older APIs.
FeistyDuck has some good intro (free) and advanced (not free) TLS docs, though not specific to Secure Transport.
Hi
Thanks for your reply , actually we are just setting below properties and not importing any self signed/private certificate .
SSL Properties :
[SSLOptions setObject:[NSNumber numberWithBool:NO] forKey:(NSString*)kCFStreamSSLValidatesCertificateChain];
[SSLOptions setObject:(NSString*)kCFStreamSocketSecurityLevelNegotiatedSSLforKey:(NSString*)kCFStreamSSLLevel];
[SSLOptions setObject:(NSString*)kCFStreamSocketSecurityLevelNegotiatedSSL forKey:(NSString*)kCFStreamPropertySocketSecurityLevel];
[SSLOptions setObject:[NSNumber numberWithBool:NO] forKey:(NSString *)kCFStreamSSLIsServer];
Expectation is that private SSL connection should fail ,but surprisingly it is working ,not sure how it is working.
Could you please suggest ,will application does default certificate check with System root certificates or not in the above case ,or do we need to explicitly set kCFStreamSSLValidatesCertificateChai to 'YES'
Actually with public root certificate (Digicert Root CA) and above property set to YES, then not able to make the SSL connection.
Could you please provide any reference on how to handle SSL communication with Objective C code.
Appreciate your help .
Thanks,
Surya
I don’t have TLS app code using Objective C, nor with Secure Transport. Not that I can post here. (I might have some Swift code that can be posted, but will have to check that.)
I don’t see kCFStreamSSLCertificates or ilk in your setup. No identity certificate was referenced. From what I can see here, you’re not referencing the private cert you want to use, nor presumably its chain on the connection recipient. You need to tell TLS what cert you want to use, if not the default.
I’m bumping into myriad deprecated APIs all over here, too. Including one closely related to the kCFStreamSSLCertificates above: Apple Developer Documentation
Hi,
Exactly, am not setting any certificate reference, but still am able to communicate with self signed certificate on server,which am not clear.
As per above specified documentation we can see specifying client certificate is optional,in such case how client validate server certificate on initial handshake..
If the certificate is globally trusted ,we can assume that it is picking it from system Keychain, but in case of self-signed, it is not part of Keychain too..
If I set validate Keychain property to YES then connection with public certificate Aldo not working
Any help on this
Thanks
Surya
How am able to communicate on Self Signed SSL connnection, even though I haven’t imported certificate to the device ?
