[Pharo-users] SSL client certificates

Norbert Hartl norbert at hartl.name
Thu Jan 14 07:28:42 EST 2016


> Am 14.01.2016 um 12:42 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
> 
>> 
>> On 14 Jan 2016, at 12:12, Norbert Hartl <norbert at hartl.name> wrote:
>> 
>>> 
>>> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
>>> 
>>> Given a ZdcSecureSocketStream you can access the #sslSession. In this session object you can use #certificateName: to set the path or name of the certificate (before you #connect !). That is the general idea.
>>> 
>>> Now, I don't know if this works or not. Be prepared to look in the plugin C code! On Linux this will probably work.
>>> 
>>> And please let us know how it goes ;-)
>>> 
>>>> On 12 Jan 2016, at 16:05, Norbert Hartl <norbert at hartl.name> wrote:
>>>> 
>>>> Is there a way to make SSL connections to the outside world using client certificates from pharo?
>>>> 
>> 
>> There were some issues with certificates. I tested a lot but did an error on the way. Now I did everything again like creating certificates etc. I could establish a connection from a linux machine. At least it doesn't signal anything an tells it is connected.
> 
> So that *is* good news ! If you could share more details, that might help others as well.

I'm on it :)

> 
>> On Mac OS it does not work.
> 
> Have you seen the C source code of the Mac SSL Plugin ? It is written against an API from Mac OS System 7, from before Mac OS X, that is an OS from last century, ~199X. This is ancient, you won't find many developers who want to work on that, nor does it make sense towards the future.
> 
> OpenSSL is also available standard on Mac OS X, the Linux plugin could just as well be used there (give or take).
> 
>> I think it has something to do with the certificate authority. On linux the CA of the apple server is installed system wide. The SSL plugin code only looks for the certificate and the key but not for the CA. So under linux it finds it in the system but on Mac OS I couldn't do the same. I imported the CA in the keychain but openssl does not seem to find it there. 
> 
> It is very simple why it does not work on Mac (like I said), it is just not implemented !
> 
> Try finding where certName is used in sqMacSSL.c, there is a setter and getter, but it is simply not used, so it can never work.
> 
> In sqUnixOpenSSL.c on the other hand, there is
> 
> 	/* if a cert is provided, use it */
> 	if(ssl->certName) {
> 		if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n", ssl->certName);
> 		if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0)
> 		  ERR_print_errors_fp(stderr);
> 
> 		if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0)
> 		  ERR_print_errors_fp(stderr);
> 	}
> 
Oops I was only looking at the unix code assuming it would be used for Mac OS as well. In the Mac code there is

        /* Disable cert verification since we do that ourselves */
        status = SSLSetEnableCertVerify(ssl->ctx, false);

I don't understand the comment. But reading it I think this would "solve" the problem as well :)

Norbert


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pharo.org/pipermail/pharo-users_lists.pharo.org/attachments/20160114/2b712342/attachment.html>


More information about the Pharo-users mailing list