[Pharo-users] SSL client certificates

Norbert Hartl norbert at hartl.name
Tue Jan 12 16:37:04 EST 2016

> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
> Given a ZdcSecureSocketStream you can access the #sslSession. In this session object you can use #certificateName: to set the path or name of the certificate (before you #connect !). That is the general idea.
> Now, I don't know if this works or not. Be prepared to look in the plugin C code! On Linux this will probably work.
> And please let us know how it goes ;-)

I tried on Mac OS and on Linux but no luck so far. I used

| ip stream |
ip := NetNameResolver addressForName: 'gateway.sandbox.push.apple.com' timeout: 5000. 
stream := ZdcSecureSocketStream 
	openConnectionToHost: ip 
	port: 2195
	timeout: 3000.
	shouldSignal: true;
	autoFlush: false;
	bufferSize: 16384;
	timeout: 5000.
stream sslSession
	certificateName: '/root/my.pem'.
stream connect.

But I get 

ConnectionClosed: Connection closed while waiting for data.

This is while doing the SSL handshake. On Linux the log is

qSetStringPropertySSL(1): /root/my.pem
sqConnectSSL: 8a69058
sqConnectSSL: Setting up SSL
sqSetupSSL: setting method
sqSetupSSL: Creating context
sqSetupSSL: setting cipher list
sqSetupSSL: Using cert file /root/my.pem
sqSetupSSL: No root CA given; using default verify paths
sqSetupSSL: Creating SSL
sqSetupSSL: setting bios
sqConnectSSL: Setting connect state
sqConnectSSL: BIO_write 0 bytes
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 297 bytes pending; buffer size 17408
sqConnectSSL: 8a69058
sqConnectSSL: BIO_write 3143 bytes
sqConnectSSL: SSL_connect
sqConnectSSL: sqCopyBioSSL
sqCopyBioSSL: 2057 bytes pending; buffer size 17408
ConnectionClosed: Connection closed while waiting for data.
[ ConnectionClosed signal: 'Connection closed while waiting for data.' ] in Socket>>waitForDataFor: in Block: [ ConnectionClosed signal: 'Connection closed whil...etc...

I'm not sure what is going on and I believe it is rather hard to figure out what is the error exactly. Using 

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert my.pem -debug -showcerts -CAfile entrust_2048_ca.cer

it works. I don't know if the missing CA file is the culprit. But I doubt the squeak SSL code does verifying so it might be something else.


>> On 12 Jan 2016, at 16:05, Norbert Hartl <norbert at hartl.name> wrote:
>> Is there a way to make SSL connections to the outside world using client certificates from pharo?
>> thanks,
>> Norbert

More information about the Pharo-users mailing list