Thanks Jens, Still I want it clear - Provided that I’ve set up my CFStream to enable automatic TLS/SSL handshake, and that I had my CFSockets do the TLS/SSL handshake “by themselves” without my code, and that I have a successful connection to my server - then just writing unencrypted message to the socket using CFWriteStreamWrite() will transparently encrypt and send the message for me? (and vice-versa, do I receive decrypted data from the socket on NSStreamEventHasBytesAvailable events?
Motti. > > On Aug 31, 2015, at 02:03, Jens Alfke <j...@mooseyard.com> wrote: > > >> On Aug 30, 2015, at 1:29 PM, Motti Shneor <su...@bezeqint.net >> <mailto:su...@bezeqint.net>> wrote: >> >> However - I do not understand if I still need to encrypt the messages >> myself, or whether ::CFWriteStreamWrite() (or its bridged [_outputStream >> write:maxLength:] counterpart) should do it for me, when running with ATS >> around? and If I need to do the encryption myself, What Cocoa/Cocoa-touch >> APIs do I need to call to do this, in order to use the ATS recommended >> encryption? > > Just use the standard CFStream APIs to enable SSL. In a nutshell, you do this > by setting the stream property kCFStreamPropertySSLSettings to a dictionary > containing the specific settings. Once you do that, it’s all transparent: > just open the streams and send/receive data. > CFSocketStream.h declares all the necessary constants, with doc-comments, and > I know Apple’s documentation explains in detail how to do all this, though I > don’t have any URLs handy. > I have done this already, as I wrote - and I manage to open a connection to my server. handshake went well, and I have an open connection. Now what. In the current implementation, I have to encrypt messages, and send them down the socket, and decrypt incoming messages. Now with the SSL-configured socket, I need to stop this, or replace my own encryption/decryption by some calls to SecureTrasnport APIs ?. > (At a lower level you can use the SecureTransport API to do the SSL handshake > and encryption explicitly, although it’s a lot more complex so I don’t think > you’d want to, unless for some reason it makes it easier to replace your old > SSL implementation.) > >> I could not find any sample code with CFNetwork only APIs that implements >> ATS connections over TCP > > Don’t search for “ATS”, just search for “SSL"; the APIs for this have been > around as long as OS X. There’s no programmatic API to ATS; the only change > is that SSL is now required by default, and that there are some Info.plist > keys to opt out of some of the requirements. > > —Jens
_______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com This email sent to arch...@mail-archive.com
