[Development] No SSL on iOS ?
Kurt Pattyn
pattyn.kurt at gmail.com
Fri May 2 10:31:33 CEST 2014
Could this be a solution: https://github.com/x2on/OpenSSL-for-iPhone ?
This project provides a script to make a static build of OpenSSL to be used on iOS 4.3 - iOS 7.1.
Cheers,
Kurt
On 02 May 2014, at 10:16, Jeremy Lainé <jeremy.laine at m4x.org> wrote:
> On 05/01/2014 03:51 PM, Jeremy Lainé wrote:
>> One problem I am going to run into is that Apple's API doesn't seem to provide error
>> details when a certificate check fails (SecTrustEvaluate), so I don't think we'll get as
>> fine-grained QSslError's as when using OpenSSL. I have however managed to implement the
>> pattern used in the OpenSSL implementation:
>>
>> - start handshake
>> - emit sslErrors if appropriate
>> - allow ignoring the errors using ignoreSslErrors
>> - complete handshake
>
> OK it looks as though I was overly optimistic, I just realised I was relying on some
> functions only available on OS X, not iOS.
>
>> From what I can tell, we can't even do subject / alternative subject name validation
> ourselves, as SecCertificateCopyValues is not exposed on OSX. So, it looks as though we
> can either:
>
> - let secure transport do all the checks (name, trust chain, ..) which will result in
> either success or a failure, with no ability to ignore SSL errors when they occur
>
> - disable checks altogether before starting the handshake => totally insecure
>
> Bottom line: connecting to hosts with valid certificates is OK, connecting to anything
> else (self-signed certs, name mismatches) basically nullifies the security promise as we
> can't check the errors. Is it worth continuing, to at least support the happy path?
>
> Cheers,
> Jeremy
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development
More information about the Development
mailing list