Re: SSL websocket server, part two

Tue, 11 Nov 2014 17:53:54 -0800 

On Nov 11, 2014, at 1:45 AM, Quinn The Eskimo! <eski...@apple.com> wrote:

> 
> On 11 Nov 2014, at 01:40, Mitchell Laurren-Ring <li...@rynosoft.com> wrote:
> 
>> It looks to me like the client’s SSL stack is ending the conversation early 
>> by setting the FIN flag in step #7. Is that a correct conclusion?
> 
> Yes, but the weird part is that, at the time it initiates the disconnect 
> (packet 7), the client hasn't received any actual data from the server.  
> Normally, if the client is going to drop a connection like this, it does so 
> /after/ receiving some data from the server (like the Server Hello) but in 
> this case the client is dropping the connection before receiving any data.
> 
> What does the timing look like here?  Perhaps the client is failing because 
> the server hasn't responded quickly enough?
> 


I think you’re on to something here. It takes almost 5 seconds for the server 
to send “Server Hello” after the “Client Hello” is received. Most of this delay 
is caused by the call I make to SecTrustEvaluate at the start of the 
connection. I realize this is not optimal for performance, but assuming that it 
is a requirement to load the SecIdentityRef at the start of each connection, is 
SecTrustEvaluate necessary? Here’s roughly how my code looks:

        SecTrustCreateWithCertificates
        SecTrustEvaluate
        SecTrustGetResult
        SecIdentityCreateWithCertificate

SecTrustEvaluate seems to have the side effect of retrieving the CA 
certificates for my certificate, which is retrieved from another server when a 
connection is started. It seems like I should just be able to call 
SecIdentityCreateWithCertificate, but if I skip the first 3 functions, I get 
errSSLBadConfiguration from SSLHandshake. In Wireshark, I can see that the 
server is sending an SSL Alert after the Client Hello.

Is there a better way to create an identity from certificate and key data in 
memory?

/Mick


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to