Sorry, I was misinterpreting what I was seeing in the apache log. A client certificate is **not** being sent back to the server upon request from the server.
We can also see this by setting breakpoints on SSLHandshake and SSLSetCertificate. SSLHandshake is getting called at the right times and SSLSetCertificate -- which in the case of the client would be used for setting the **client** certificate -- is never called. We can see from the apache logs and from testing in a browser that the server is correctly asking the client for a client certificate. We have tried creating a self-signed CA cert and using it to sign a newly created client cert. We then put the client cert in the keychain for the logged in user (the test user who is launching the client app), logout/login, make adjustment to apache config, restart apache, and try launching the client again. Same problem. SSLSetCertificate is never called and the 2-way handshake fails when no client cert is provided. Interestingly, the movie playback apis on iOS actually do this implicitly using a pre-installed apple client cert. That's okay, but ideally we would like to be able to provide our own client certs. Failing that, we'll settle for using a pre-installed apple cert if that's the only way it can be done. -GH ----- Original Message ----- From: Glen Haderman <glenhader...@yahoo.com> To: "cocoa-dev@lists.apple.com" <cocoa-dev@lists.apple.com> Cc: Sent: Tuesday, July 12, 2011 10:03 AM Subject: QTMovie/QTMovieLayer and SSL client athentication... We can see from the Apache logs that QTMovie does hand over a client certificate when the server asks for it during an SSL handshake. But we cannot tell which certificate it is and which CA cert that we need to use on the server side (the CA cert that generated the client cert). This is a little upside down. Typically with certificate client authentication, the CA cert is in hand first and the client cert is generated from it and bundled with the client component. In this case, QTMovie is hiding its internal client cert and the process by which it hands it back to the server upon request, and there's no documentation explaining how all of this is done and -- more importantly -- which CA cert was used to generate it. Has anyone successfully done 2-way SSL authentication from a QTMovie before? If so, what CA cert did you use on the server side? edited snippet: // ourwebproxy.com is running Apache 2 on Mac OS X and has the following client authentication settings: // SSLCACertificateFile /private/etc/apache2/certs_and_keys/all_pre-installed_ca_certs_from_system_keychain_concatenated.pem // SSLVerifyClient require // SSLVerifyDepth 10 NSURL * url = [NSURL URLWithString:@"https://ourwebproxy.com/themovie.mp4";]; .... NSDictionary * attributes = [NSDictionary dictionaryWithObjectsAndKeys: url, QTMovieURLAttribute, [NSNumber numberWithBool:YES], QTMovieOpenForPlaybackAttribute, [NSNumber numberWithBool:YES], QTMovieOpenAsyncOKAttribute, nil]; movie = [[Movie alloc] initWithAttributes:attributes error:nil]; .... movielayer = [QTMovieLayer layerWithMovie:movie]; -GH _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/glenhaderman%40yahoo.com This email sent to glenhader...@yahoo.com _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
