TL;DR: I’m in the middle of an SSL server-side handshake right after peer auth has completed, and I’m trying to detect whether or not the peer (client) provided a cert. I thought SSLGetClientCertificateState would be the answer, but it always returns kSSLClientCertNone whether or not there is a cert. How do I do this correctly?
Longer explanation: I’m adding SSL *client* cert support to a server implementation that uses existing library (GCDAsyncSocket) based on SecureTransport. It’s working fine for the case where the client cert is required (setting the ClientSideAuthenticate property to kAlwaysAuthenticate), but I’m having trouble when the client cert should be optional (kTryAuthenticate): the handshake fails if the client doesn’t provide a cert. The problem occurs while I’m checking the trust of the cert — to do custom cert checking, the code turns off automatic cert verification using code very much like that shown in the doc-comment for SSLSetAllowsExpiredCerts, i.e. I’m handling the case where SSLHandshake returns errSSLPeerAuthCompleted. At this point the existing code calls SSLCopyPeerTrust, which of course fails (with -9808, errSSLBadCert) since the peer/client didn’t provide any cert. This error causes the library to abort and close the socket. So my task is to detect whether or not the client provided a cert. My first attempt was to call SSLGetClientCertificateState and look at the output state. Unfortunately the state comes back as kSSLClientCertNone whether or not there is a cert. (And the function return is noErr, so it didn’t fail.) This seems wrong to me, especially since the function’s docs say it “can be called any time”. So … how am I supposed to do this? Should I just interpret the errSSLBadCert return from SSLCopyPeerTrust as meaning “there’s no cert”, and continue? —Jens PS: This is running on OS X 10.10.4. Have not tried iOS yet, but this same code needs to support iOS 7+. _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com This email sent to [email protected]
