[Pharo-users] SSL client certificates

Sven Van Caekenberghe sven at stfx.eu
Thu Jan 21 08:44:35 EST 2016

> On 15 Jan 2016, at 15:09, Sven Van Caekenberghe <sven at stfx.eu> wrote:
> Wow, thanks for sharing!
> Please, please, Holger, share the new Mac SSL Plugin somewhere so that we can test it too. (Next step is to push this change upstream in the VM).

Norbert, Holger,

I think an SSL Plugin for OS X based on the OpenSSL code for (L|U)nix is *very* important. 

Could you please share it, just for testing, please, please ?



>> On 15 Jan 2016, at 14:49, Norbert Hartl <norbert at hartl.name> wrote:
>> Hi,
>>> Am 12.01.2016 um 16:25 schrieb Sven Van Caekenberghe <sven at stfx.eu>:
>>> Given a ZdcSecureSocketStream you can access the #sslSession. In this session object you can use #certificateName: to set the path or name of the certificate (before you #connect !). That is the general idea.
>>> Now, I don't know if this works or not. Be prepared to look in the plugin C code! On Linux this will probably work.
>>> And please let us know how it goes ;-)
>> I spend some time yesterday trying it. With a linux installation I could issue a client connection and that didn't throw an error. Then Holger was really helpful with Mac OS. He just compiled the Mac plugin using the unix openssl sources. I just copied that in the VM folder and then I could do the same on my Mac. I tried to send a push message via apples push server using:
>> | deviceId payload ip stream notification |
>> payload := '{
>>   "aps" : {
>>       "alert" : "Pharo finally got it!"
>>   }
>> }'.
>> deviceId := 'XXX'.
>> notification := ByteArray streamContents: [ :str |
>>   str
>>       	nextPut: 1;
>> 		nextPutAll: (1 asPaddedByteArray: 4);
>> 		nextPutAll: ((DateAndTime now + 1 day) asUTC asUnixTime asByteArray);
>> 		nextPutAll: (32 asPaddedByteArray: 2);
>> 		nextPutAll: (ByteArray readHexFrom: deviceId);
>>       	nextPutAll: (payload size asPaddedByteArray: 2);
>>       	nextPutAll: payload asByteArray ].
>> ip := NetNameResolver addressForName: 'gateway.push.apple.com' timeout: 30.
>> stream := ZdcSecureSocketStream
>>   openConnectionToHost: ip
>>   port: 2195
>>   timeout: 30.
>> stream
>>   binary;
>>   shouldSignal: true;
>>   autoFlush: false;
>>   bufferSize: 4096;
>>   timeout: 30.
>> stream sslSession
>>   enableLogging;
>>   certificateName: '/Users/norbert/multiprod.pem'.
>> stream
>>   connect;
>>   nextPutAll: notification;
>> flush;
>> close.
>> That is working and I receive the message on my phone. So basically the client certificate stuff seems to work. The awkward thing about it is that you have to specify a filename for the cert. I have the certificates in a database and writing a file everytime I want to send something is not that good. Especially not if there are concurrent requests for sending messages.
>> There is one constraint for this to work. You specify a filename for certificate. In the file you need to have certificate and key. The plugin reads both from the same file. There is no code for specifying a CA chain. So this is resolved system wide and that means you need to install every CA for your certificate in the system. 
>> Norbert
>>>> On 12 Jan 2016, at 16:05, Norbert Hartl <norbert at hartl.name> wrote:
>>>> Is there a way to make SSL connections to the outside world using client certificates from pharo?
>>>> thanks,
>>>> Norbert

More information about the Pharo-users mailing list