Using client side certificates with objective-c under macosx with Cocoa - objective-c

I am looking for sample code or documentation on how to use client side certificates with SSL under MacOSX.
The server I want to connect to, does speak a custom ascii protocol but allows only ssl connections with registered client certificates. I already wrote a client in Java that works.
In Java I initialized a SSLContext with a KeyManager-Array and a TrustManager-Array. How would I do that with Objective-C on MacOSX?
I found this http://code.google.com/p/cocoaasyncsocket/ which got me as far as connecting and receiving from a server that does not require a client certificate. Would it be feasible to extend that code to use client side certificates?

You probably want CFStream
http://developer.apple.com/mac/library/documentation/Networking/Conceptual/CFNetwork/Concepts/Concepts.html#//apple_ref/doc/uid/TP30001132-CH4-SW4

Related

Python's create_default_context() equivalent in Go?

I'm trying to modify my Go client and server code to use TLS. In Python I can do ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)
which will automatically load the system's trusted CA certs and uses secure settings. I'm wondering if there's something similar in Go where it will automatically load trusted CA certificates. I'm not sure exactly what to put for the client's certificates.
I think you're looking for tls.Config. But keep in mind that Python's ssl.create_default_context exposes a lot of SSL internals that most people don't need, and you might not need a tls.Config in your application at all. For instance, net/http has a http.ListenAndServeTLS() function which starts a TLS web server with sensible defaults and whatever certificates you provide.

How can I test my tls implementation written using HTTP component

For my current project i need to implement http over tls at client ,for this i need a local server able to simulate this . is there any online or offline tool. which i can use and and see the handshake in wireshark .
For watching the TLS handshake you might not get far enough with wireshark. For such kind of monitoring you would ensure the security is low enough for wireshark to be able getting the session key from watching the handshake for decoding the later parts. Thus, you need to avoid any forward secrecy.
Otherwise any (https) server that is accessible (and willing to talk) to your client will do.
In case you are in an environment that is supported (e.g. any unix/linux), you might try using openssl. It allows setting up a server that will do handshake. And it will log the handshake such that you will be able looking at what is going on. This will eliminate the need for using wireshark for debugging.
For achieving this you need a Web Server accepting connection over TLS.I have achieved this on Apache Tomcat web Server.
TLS configuration needs to be done in the server.xml file present in config directory of Tomcat webserver. Connector tag needs to be added in the server.xml file that contains information like
TLS version to be used, port, List of supported Cipher Suites, Keystore path and password, Truststore path and password.
Any regular Rest client can be used to make a call like Postman client. But to use that over TLS/SSL certificate is needed to be installed in Chrome browser.
Hope this answers your doubt.

Could not create SSL/TLS secure channel AND The client and server cannot communicate, because they do not possess a common algorithm

I have successfully built the Web Application but when I try to view the app in the browser it throws "Could not create SSL/TLS secure channel". I tried changing the compile to Debug mode and then it throws "The client and server cannot communicate, because they do not possess a common algorithm" errors.
I have also checked the Regedit.exe for the SSL Protocols and eveything is enabled. I also have the client side test certificate in installed on my machine.
My concern is does the Web Application have the ability to pick the installed certificate from the App Pool or should I write any specific code to use the that particular certificate?
I'm not familiar with .NET, but this kind of error typically occurs if the server is not configured to use a certificate. In this case the only ciphers it can offer are ADH etc, i.e. ciphers which don't require a certificate. Because in this case the connection would be vulnerable to man-in-the-middle attacks most clients don't support such ciphers by default and thus you get the error message that client and server have no ciphers in common.

how to find Master-key and Session-ID on windows for decryption of SSl/TLS traffic using wireshark?

I have a C++ application that has a SSL/TLS communication with its own server and i don't have any access to that server. I'm trying to find out what is it sending from my PC to the server.
I tried burp and fiddler as man-in-middle but it didn't work. The application does not support Proxy so i tried routing the traffic using proxifier to burp and fiddler but it didn't work.
So I came up with these articles https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets+/16415 and http://ask.wireshark.org/questions/4229/follow-ssl-stream-using-master-key-and-session-id
I just need to know , How I can find Master-key and Session-ID to decrypt SSL/TLS trafic.
It depends on the TLS cipher suite being used. If the ciphersuite uses forward secrecy (DHE) you cannot decrypt the stream. If it uses RSA encryption then you need at least the private key of the server. If it also uses client authentication then you would also need the private key of the client. if it uses symmetric encryption you need the symmetric (master) key from either one of them.
But if you do have a C++ application, I would simply add logging to that application (at the lowest level).
You can use following alrternates on a x86 windows
STRACE - http://blogs.msdn.com/b/emmanubo/archive/2007/06/04/introduction-to-strace-httpreplay-support-tools.aspx
SOCKTRC if this app is on windows checkout
http://blogs.msdn.com/b/emmanubo/archive/2007/08/03/socktrc-tool.aspx
HTTPREPLAY -
generally used for browsers but here can be used to view the responses in the UI

Alternative for openSSL

I have academical project to build communicator with Public Key Infrastructure. For communication between server and clients I'll use SSL/TLS and I need for them certificates. I have to build Certificate Authority with CRL and I can do this with openSSL but this tool is only good for manual administrative not for making certificates automatically in remote CA.
To be clear: Clients must register and login to communicator using certificates but it should be made invisible for them. I've tried running openSSL as process in Java but it's not working properly - my previous problem.
Have you any good advice for making simple PKI?
You can use and extend EJBCA. It takes some getting used to but it has support for some HSM's, and it should not be hard to create a small PKI with it. Open source.
A replacement for simple operations of OpenSSL, would be Bouncy castle. To have better CA support you should also use the EJBCA.
To create certificates automatically in the client (I assume you use a client web browser) is a bit trickier. Some browser can generate private client keys and then get them signed by the CA server.
Generating client side certificates in browser and signing on server
In that case, I would also use the EJBCA to make it manageable.