[Development] No SSL on iOS ?
Jeremy Lainé
jeremy.laine at m4x.org
Fri May 2 10:16:10 CEST 2014
On 05/01/2014 03:51 PM, Jeremy Lainé wrote:
> One problem I am going to run into is that Apple's API doesn't seem to provide error
> details when a certificate check fails (SecTrustEvaluate), so I don't think we'll get as
> fine-grained QSslError's as when using OpenSSL. I have however managed to implement the
> pattern used in the OpenSSL implementation:
>
> - start handshake
> - emit sslErrors if appropriate
> - allow ignoring the errors using ignoreSslErrors
> - complete handshake
OK it looks as though I was overly optimistic, I just realised I was relying on some
functions only available on OS X, not iOS.
>From what I can tell, we can't even do subject / alternative subject name validation
ourselves, as SecCertificateCopyValues is not exposed on OSX. So, it looks as though we
can either:
- let secure transport do all the checks (name, trust chain, ..) which will result in
either success or a failure, with no ability to ignore SSL errors when they occur
- disable checks altogether before starting the handshake => totally insecure
Bottom line: connecting to hosts with valid certificates is OK, connecting to anything
else (self-signed certs, name mismatches) basically nullifies the security promise as we
can't check the errors. Is it worth continuing, to at least support the happy path?
Cheers,
Jeremy
More information about the Development
mailing list