8

I am writing an application that uses NSStream's SSL functions on the iphone. I know that SSL is working because I can directly connect servers using SSL.
I have encountered a problem where protocols that use starttls require me to communicate on the socket with unsecured, send the starttls command and then reuse the same socket for SSL. As far as i know nsstream connections cannot be reused and i can't start SSL on them after i have opened the connection.

I thought about creating my own socket, communicating on it manually and then setting up an NSstream using the existing socket and start SSL that way. However, it appears the communicating on the socket places it in a state where i cant start SSL on it. Any attempt to use the socket for nsstream results in an error.

Any thoughts?

anurodhp
  • 356
  • 5
  • 13
  • Have you tried calling setProperty:forKey: with the appropriate security constants on an already open NSSocket? I believe the underlying SecureTransport code supports switching to TLS/SSL from an unencrypted initial connection. – Graham Miln Jan 24 '11 at 01:16
  • So I figured this out. You should use CFsockets and not NSsockets and then apply the SSL AFTER the connection even though the documentation says you cant do that, it will correctly negotiate a secure connection. – anurodhp Mar 01 '11 at 19:00
  • there's no such thing as "NSsockets" – user102008 Apr 29 '11 at 22:10
  • Please add your solution as an answer and mark it as such. This is cluttering the Unanswered Questions list right now, and you're not getting rep points you could use. – Jeremy W. Sherman Jun 02 '11 at 21:26

1 Answers1

7

This is the correct way to do this. while doing this (setting the property after socket connection) is undocumented, this is code directly from my Monal xmpp client and apple has never given me any problems in the app store. 

 NSInputStream *iStream;
NSOutputStream *oStream;


CFStreamCreatePairWithSocketToHost(NULL, (CFStringRef)server, port, &iStream, &oStream);


[iStream open];
    [oStream open];

Once the connection has been opened and you get NSStreamEventOpenCompleted and the startTLS command has been sent to the host from the client:

NSDictionary *settings = [ [NSDictionary alloc ] 
                                  initWithObjectsAndKeys:
                                  [NSNumber numberWithBool:YES], @"kCFStreamSSLAllowsExpiredCertificates",
                                  [NSNumber numberWithBool:YES], @"kCFStreamSSLAllowsExpiredRoots",
                                  [NSNumber numberWithBool:YES], @"kCFStreamSSLAllowsAnyRoot",
                                  [NSNumber numberWithBool:NO], @"kCFStreamSSLValidatesCertificateChain",
                                  [NSNull null],@"kCFStreamSSLPeerName",
                                  @"kCFStreamSocketSecurityLevelNegotiatedSSL", 
                                  @"kCFStreamSSLLevel",
                                  nil ];
        CFReadStreamSetProperty((CFReadStreamRef)iStream, 
                                @"kCFStreamPropertySSLSettings", (CFTypeRef)settings);
        CFWriteStreamSetProperty((CFWriteStreamRef)oStream, 
                                 @"kCFStreamPropertySSLSettings", (CFTypeRef)settings);
anurodhp
  • 356
  • 5
  • 13
  • 2
    It’s probably a better idea to use the constants instead of wrapping them in strings; the constants and strings may evaluate to the same result in this case but that isn’t always so. So, kCFStreamSSLLevel instead of @"kCFStreamSSLLevel". – Rob Rix Sep 20 '11 at 10:27
  • I'm trying to use the CFReadStreamSetProperty in my iOS 7 app, but Xcode 5.1.1 tells mit "No matching function for call to 'CFReadStreamSetProperty' although I have #import #import and I also added CFNetwork.framework and CoreFoundation.framework. Any hit how to fix that? – geri-m May 04 '14 at 08:42