[Pharo-users] SSL client certificates

Norbert Hartl norbert at hartl.name
Fri Jan 15 08:49:34 EST 2016


Hi,

> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
> 
> Given a ZdcSecureSocketStream you can access the #sslSession. In this session object you can use #certificateName: to set the path or name of the certificate (before you #connect !). That is the general idea.
> 
> Now, I don't know if this works or not. Be prepared to look in the plugin C code! On Linux this will probably work.
> 
> And please let us know how it goes ;-)
> 
I spend some time yesterday trying it. With a linux installation I could issue a client connection and that didn't throw an error. Then Holger was really helpful with Mac OS. He just compiled the Mac plugin using the unix openssl sources. I just copied that in the VM folder and then I could do the same on my Mac. I tried to send a push message via apples push server using:

| deviceId payload ip stream notification |
payload := '{
    "aps" : {
        "alert" : "Pharo finally got it!"
    }
}'.
deviceId := 'XXX'.

notification := ByteArray streamContents: [ :str |
    str
        	nextPut: 1;
		nextPutAll: (1 asPaddedByteArray: 4);
		nextPutAll: ((DateAndTime now + 1 day) asUTC asUnixTime asByteArray);
		nextPutAll: (32 asPaddedByteArray: 2);
		nextPutAll: (ByteArray readHexFrom: deviceId);
        	nextPutAll: (payload size asPaddedByteArray: 2);
        	nextPutAll: payload asByteArray ].

ip := NetNameResolver addressForName: 'gateway.push.apple.com' timeout: 30.
stream := ZdcSecureSocketStream
    openConnectionToHost: ip
    port: 2195
    timeout: 30.
stream
    binary;
    shouldSignal: true;
    autoFlush: false;
    bufferSize: 4096;
    timeout: 30.
stream sslSession
    enableLogging;
    certificateName: '/Users/norbert/multiprod.pem'.
stream
    connect;
    nextPutAll: notification;
flush;
close.

That is working and I receive the message on my phone. So basically the client certificate stuff seems to work. The awkward thing about it is that you have to specify a filename for the cert. I have the certificates in a database and writing a file everytime I want to send something is not that good. Especially not if there are concurrent requests for sending messages.

There is one constraint for this to work. You specify a filename for certificate. In the file you need to have certificate and key. The plugin reads both from the same file. There is no code for specifying a CA chain. So this is resolved system wide and that means you need to install every CA for your certificate in the system. 

Norbert

>> On 12 Jan 2016, at 16:05, Norbert Hartl <norbert at hartl.name> wrote:
>> 
>> Is there a way to make SSL connections to the outside world using client certificates from pharo?
>> 
>> thanks,
>> 
>> Norbert
>> 
>> 
>> 
> 
> 





More information about the Pharo-users mailing list