TLS Support

[slreddy1137]

Hi Team,

i m unable to get to the TLS.

can anyone help me to try with the TLS support, for making handshake between the web socket server and web socket client.

[kisileno]

@slreddy1137 have the same issue. Did you try to install certificate in your certificate chain?

[slreddy1137]

i was trying to create an app where it acts as a web socket server, and one more app acts as a web socket client, this is working fine, now if i have to ensure the security, i m trying to put a certificate in the app bundle of both apps and trying to authenticate when the connection request has been initiated, but no luck, i m not able to go ahead , is my approach right ?

[kisileno]

@slreddy1137

is my approach right ?

I dunno. I was not able to find any meaningful and comprehensive documentation how to use TLS\SSL

How you have created certificate and how you are loading it? Are you using: +[PSWebSocketServer serverWithHost:port:SSLCertificates:] to create server?

I am trying to do the same, but with embedded WebView. As I know, to achieve this I need to install my certificate to os x certificate chain.

[slreddy1137]

i m trying to use that method for server initiation, but even i m doubtful of the approach, shall we ask someone

[slreddy1137]

Hi All,

Can someone guide me what to pass in the "SSLCertificates:" attribute for initiating the socket server, i do have a verisign certificate but not aware of how to pass it.

[slreddy1137]

@robertjpayne can you please suggest me on achieving the TLS connection.

[robertjpayne]

@slreddy1137 you need to create the server using:

+ (instancetype)serverWithHost:(NSString *)host port:(NSUInteger)port SSLCertificates:(NSArray *)SSLCertificates;

And that NSArray should be an array of SecIdentityRef objects. SecIdentityRef objects are not the easiest to obtain, you have to have the certificate and private key pair in keychain and use the Security framework to pull them.

[robertjpayne]

You may find this Apple article useful for getting a SecIdentityRef from a .p12 file:

https://developer.apple.com/library/mac/documentation/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html

[robertjpayne]

Personally I added the SSL support just as a nice to have, unfortunately I can't make the API any easier because SecureTransport only works in this fashion unless I use OpenSSL or some other crypto library for the SSL handshake.

The unfortunate part is that SecureTransport doesn't let you have a SecIdentityRef that isn't attached to a persistent keychain somewhere on disk.

If you're on OS X I recommend just using nginx or apache to terminate the SSL and locally forward the requests to PocketSocket!

[slreddy1137]

@robertjpayne Thanks Robert for your suggestions, I m new to this TLS implementation.

I am having verisign.key and verisign.cer certificate, if i try getting "SecIdentityRef" and pass while creating server, will this enable the secure authentication ? do i need to pass any certificate while creating client socket ?

sorry, if my question is basic, can you please tell some steps to get it done.

[slreddy1137]

@robertjpayne This i using for iOS app, where one phone is acting as web socket server and other as web socket client, now i have to put TLS between their connection.

[robertjpayne]

@slreddy1137 sorry I really can't assist you more than that document, you need to get your certificates into a .p12 file, best way to do that is via Keychain on your mac, just import them both there, then export as a .p12 with a password.

Once you have a .p12 try following the documentation on that Apple article.

[slreddy1137]

@robertjpayne sure, i ll convert it to .p12 and get the SecIdentityRef as you suggested to create server, with this is it going to work or do i need to pass anything while creating client socket ? please suggest.

Thanks in advance.

[slreddy1137]

@robertjpayne We are not passing any certificate for client socket creation, i was thinking do we need to pass for authentication challenge to take place .

[robertjpayne]

@slreddy1137 you probably will need to, if you're going device to device I assume you are using bonjour and connecting directly over an IP address.

Because of that the client wont be able to verify the validity of the SSL certificate by domain name like browsers do. There is a delegate method (in develop only) to accept the SecTrustRef

[slreddy1137]

i m trying to build a communication with an Access Point only without internet, yes i m connecting directly with IP address.

I m unable to find the method which accepts SecTrustRef in the "PSWebSocket" class, do i need to find else where ? sorry for asking more , need your help badly, i have almost integrated your API for all my basic functionalities, only TLS is pending.

[robertjpayne]

@slreddy1137 - (BOOL)webSocket:(PSWebSocket *)webSocket evaluateServerTrust:(SecTrustRef)trust; again this is only available via the develop branch at the moment.

[slreddy1137]

ok, can i use it , any precautions to be taken, to make this to Prod ?

[robertjpayne]

@slreddy1137 nope, develop is pretty stable it's well tested again the autobahn test suite. Probably the server code is most fragile as it's not tested as much.

[slreddy1137]

@robertjpayne Thanks a lot for your support, this really helps me, i ll try all these possibilities and get back to you.

Thanks a Ton.

[robertjpayne]

Closing this because I don't believe it's a bug, please re-open if you think otherwise.

[slreddy1137]

Sure Robert, i have been trying to get this working on my project, will contact you if any help required.

Thanks for your support.

On Tue, Apr 19, 2016 at 8:51 PM, Robert Payne notifications@github.com wrote:

Closing this because I don't believe it's a bug, please re-open if you think otherwise.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/zwopple/PocketSocket/issues/41#issuecomment-212186667

[kisileno]

I have created the server using

+ (instancetype)serverWithHost:(NSString *)host port:(NSUInteger)port SSLCertificates:(NSArray *)SSLCertificates {

where host is host is 127.0.0.1 and certificates is NSArray with one SecIdentityRef from .p12 How I then can access it from webpage using wss://? It is still accessible on ws://.

[slreddy1137]

Hi Robert,

I was trying to initiate a connection but the below code snippet in “PumpInput” method in “PSWebSocketServer” class is blocking to add the socket.

    if(connection.inputBuffer.bytesAvailable > 4) {
        void* boundary = memmem(connection.inputBuffer.bytes,
                                connection.inputBuffer.bytesAvailable,
                                "\r\n\r\n", 4);
        if (boundary == NULL) {
            // Haven't reached end of HTTP headers yet
            if(connection.inputBuffer.bytesAvailable >= 16384) {
                [self disconnectConnection:connection];
            }
            continue;
        }

i m getting boundary as “NULL” and its continuing, can you please help me how to connect.

If i check on Terminal, it shows that connection is established on “NETSTAT”.

Thanks & Regards, Laxmikanth Samala 269 861 8832

On 20-Apr-2016, at 8:31 AM, lakshmi reddy slreddy1137@gmail.com wrote:

Sure Robert, i have been trying to get this working on my project, will contact you if any help required.

Thanks for your support.

On Tue, Apr 19, 2016 at 8:51 PM, Robert Payne <notifications@github.com mailto:notifications@github.com> wrote: Closing this because I don't believe it's a bug, please re-open if you think otherwise.

— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/zwopple/PocketSocket/issues/41#issuecomment-212186667