Hello everyone. I already posted this question in the cocoa-dev, but was 
directed here…

We write a system-level daemon that runs as root for security monitoring,  
maintained by launched.

We use C++ boost asyncio for cross-platform networking (Win/Linux/OS-X). Hence, 
on OS-X, can’t use higher-level APIs (such as NSURLSession and friends. Also, 
we use proprietary binary protocol to our server, but in certain client site 
deployments, we need to pass it through HTTP Proxy. We use the “HTTP Connect” 
command to create a secure tunnel through the proxy.  This works fine when we 
provide proxy configuration of our own.

Now I’m trying to integrate with the OS-X system-configuration proxy settings. 
Found the great (if little old) CFProxySupportTool code-sample, read lots of 
documentation, and was able to neatly read and support HTTP, HTTPS, 
Auto-Configured and PAC based settings. 

This breaks when Proxy is authenticated, i.e. you must handshake using username 
and password with the proxy.

The credential keys (username and password) received from 
CFNetworkCopyProxiesForURL()are normally empty, as they are stored in OS-X’s 
secure storage - the KeyChain. 

I wrote a simple tool to read the credentials using KeyChain APIs, and found 
the following:
1. The credentials are stored in the current user’s login keychain. (the user 
who set the credentials in the system-preferences network panel).
2. Calling key-chain APIs in test tool triggers a dialog, asking from the user 
permission to allow it access to the key-chain. Expected for an App, not so 
much for a system-level daemon.
3. When the tool is run as root, it finds nothing - because it doesn’t reach 
the user’s Login keychain.

My questions:

1. How do other system daemons connect to network web servers silently, using 
authenticated proxy settings? I never got any dialog for them, asking 
permission to read the keychain… Also, what keychain they use? not the System 
keychain? and when I set authentication parameters for, say, the admin user - 
how do they read it? via some kind of impersonation?

2. How do preinstalled Safari, Mail, Photos, and other apps  connect silently 
to the web, and avoid triggering the key-chain access permission dialog?  They 
clearly use proxy settings (including credentials) to go to the internet, and 
run under the current user. If such behavior is acceptable -  how is it done? 

3. All proxy settings seem to be system-wide (actually per network-interface). 
Why do the credentials reside in the active user’s Login keychain, instead of 
the “System” keychain? Is there at all a way (except for manually editing the 
keychains) to set-up proxies for ALL users, including credentials?

4. Could I, at the time of installation of my product, ask once for this 
access, and have this “trust” saved for my installed daemon? That will be 
acceptable, as IT installs our too on all users machinesl, and have rights for 
this. If this is possible - where and how could I do it?

These are lots of questions, but any hint, any direction to docs or sample 
code, would be greatly appreciated. I’m spending weeks on this already.

Last… If the wonderful code within NSURLSession and CFNetwork that negotiates 
proxies would be exposed via proper APIS - that would be a real blessing. So 
many developers (especially in the enterprise arena) need to time and again 
reimplement this - and do it in ways much inferior and insecure to the system 
implementation.

Motti Shneor
---

But they are useless ---
         they can only provide answers! 

(Pablo Picasso 1881-1973 about Computers).






 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to