search

apple / swift-nio-ssl

TLS Support for SwiftNIO, based on BoringSSL.
https://swiftpackageindex.com/apple/swift-nio-ssl/main/documentation/niossl
Apache License 2.0
385 stars 139 forks source link

customVerificationCallback not fired. #461

Closed Therealnaxos closed 2 months ago

Therealnaxos commented 2 months ago

It seems like the customVerificationCallback does not fire what so ever in the constructor: NIOSSLServerHandler(context: , customVerificationCallback: ).

I have tried setting the TLSConfiguration to a bunch of different states/configs. But no combination seem to trigger the custom verification callback.

Is this a bug, or a misconfiguration on my part?

Best regards.

Sample code:


      func customVerf(certs: [NIOSSLCertificate], result: EventLoopPromise<NIOSSLVerificationResult>) {
        print("Hello from customVerf!") // this should be printed but it does not for some reason...
        return result.succeed(.certificateVerified)
      }

       ......

      let (cert, key) = try generateSelfSignedTLSIdentity()
      var tlsConf = TLSConfiguration.makeServerConfiguration(certificateChain: [.certificate(cert)], privateKey: .privateKey(key))
      tlsConf.trustRoots = NIOSSLTrustRoots.certificates([cert])
      tlsConf.certificateVerification = .fullVerification
      let sslContext = try NIOSSLContext(configuration: tlsConf)

      let bootstrap = NIOTSListenerBootstrap(group: group)
        .serverChannelOption(ChannelOptions.socketOption(.so_reuseaddr), value: 1)
        .childChannelInitializer { channel in
          channel.pipeline.addHandler(NIOSSLServerHandler(context: sslContext, customVerificationCallback: self.customVerf), position: .first)
            .flatMap {
              channel.pipeline.addHandler(MyCustomHandler())
            }
        }
      let channel = try bootstrap
        .bind(host: host, port: port)
        .wait()

      try channel.closeFuture.wait()
Lukasa commented 2 months ago

Thanks for filing this! Is the client sending certs? If the client sends no certificates at all, the server will reject the handshake entirely and never get to the custom verification callback.

Lukasa commented 2 months ago

For me locally, if I use openssl s_client to connect without passing -cert and -key, I see an error and the callback isn't called. If I do pass those two arguments, I see the callback invoked appropriately.

Therealnaxos commented 2 months ago

Ahh, thanks. You made it clearer to me that a WKWebView cannot accept/handle self signed certificates. So that is probably my core issue.

Will have to figure out another solution for securing my communication between the NIOSSLServerHandler and the WKWebView.

Thanks for your help and have a nice day! @Lukasa