[Pharo-users] SSL client certificates

Sven Van Caekenberghe sven at stfx.eu
Fri Jan 15 09:09:57 EST 2016

Wow, thanks for sharing!

Please, please, Holger, share the new Mac SSL Plugin somewhere so that we can test it too. (Next step is to push this change upstream in the VM).

> On 15 Jan 2016, at 14:49, Norbert Hartl <norbert at hartl.name> wrote:
> Hi,
>> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
>> Given a ZdcSecureSocketStream you can access the #sslSession. In this session object you can use #certificateName: to set the path or name of the certificate (before you #connect !). That is the general idea.
>> Now, I don't know if this works or not. Be prepared to look in the plugin C code! On Linux this will probably work.
>> And please let us know how it goes ;-)
> I spend some time yesterday trying it. With a linux installation I could issue a client connection and that didn't throw an error. Then Holger was really helpful with Mac OS. He just compiled the Mac plugin using the unix openssl sources. I just copied that in the VM folder and then I could do the same on my Mac. I tried to send a push message via apples push server using:
> | deviceId payload ip stream notification |
> payload := '{
>    "aps" : {
>        "alert" : "Pharo finally got it!"
>    }
> }'.
> deviceId := 'XXX'.
> notification := ByteArray streamContents: [ :str |
>    str
>        	nextPut: 1;
> 		nextPutAll: (1 asPaddedByteArray: 4);
> 		nextPutAll: ((DateAndTime now + 1 day) asUTC asUnixTime asByteArray);
> 		nextPutAll: (32 asPaddedByteArray: 2);
> 		nextPutAll: (ByteArray readHexFrom: deviceId);
>        	nextPutAll: (payload size asPaddedByteArray: 2);
>        	nextPutAll: payload asByteArray ].
> ip := NetNameResolver addressForName: 'gateway.push.apple.com' timeout: 30.
> stream := ZdcSecureSocketStream
>    openConnectionToHost: ip
>    port: 2195
>    timeout: 30.
> stream
>    binary;
>    shouldSignal: true;
>    autoFlush: false;
>    bufferSize: 4096;
>    timeout: 30.
> stream sslSession
>    enableLogging;
>    certificateName: '/Users/norbert/multiprod.pem'.
> stream
>    connect;
>    nextPutAll: notification;
> flush;
> close.
> That is working and I receive the message on my phone. So basically the client certificate stuff seems to work. The awkward thing about it is that you have to specify a filename for the cert. I have the certificates in a database and writing a file everytime I want to send something is not that good. Especially not if there are concurrent requests for sending messages.
> There is one constraint for this to work. You specify a filename for certificate. In the file you need to have certificate and key. The plugin reads both from the same file. There is no code for specifying a CA chain. So this is resolved system wide and that means you need to install every CA for your certificate in the system. 
> Norbert
>>> On 12 Jan 2016, at 16:05, Norbert Hartl <norbert at hartl.name> wrote:
>>> Is there a way to make SSL connections to the outside world using client certificates from pharo?
>>> thanks,
>>> Norbert

More information about the Pharo-users mailing list