12

I am trying to establish a simple socket connection (NO HTTP) from my iOS app to my backend server (Node.js). The servers certificate has been created and signed using a custom CA that I made myself. I believe that in order to get iOS to trust my server I will have to somehow add this custom CA Certificate to the list of trusted certificates that are used to determine trust sort of how a TrustStore in Java/Android works.

I have tried to connect using the code below and there are no errors however the write() function does not seem to succeed.

Main View Controller:

override func viewDidLoad() {
    super.viewDidLoad()
    // Do any additional setup after loading the view, typically from a nib.

    let api: APIClient = APIClient()

    api.initialiseSSL("10.13.37.200", port: 8080)

    api.write("Hello")

    api.deinitialise()

    print("Done")
}

APIClient class

class APIClient: NSObject, NSStreamDelegate {

var readStream: Unmanaged<CFReadStreamRef>?
var writeStream: Unmanaged<CFWriteStreamRef>?

var inputStream: NSInputStream?
var outputStream: NSOutputStream?

func initialiseSSL(host: String, port: UInt32) {
    CFStreamCreatePairWithSocketToHost(kCFAllocatorDefault, host, port, &readStream, &writeStream)

    inputStream = readStream!.takeRetainedValue()
    outputStream = writeStream!.takeRetainedValue()

    inputStream?.delegate = self
    outputStream?.delegate = self

    inputStream!.scheduleInRunLoop(NSRunLoop.currentRunLoop(), forMode: NSDefaultRunLoopMode)
    outputStream!.scheduleInRunLoop(NSRunLoop.currentRunLoop(), forMode: NSDefaultRunLoopMode)

    let cert: SecCertificateRef? = CreateCertificateFromFile("ca", ext: "der")

    if cert != nil {
        print("GOT CERTIFICATE")
    }

    let certs: NSArray = NSArray(objects: cert!)

    let sslSettings = [
        NSString(format: kCFStreamSSLLevel): kCFStreamSocketSecurityLevelNegotiatedSSL,
        NSString(format: kCFStreamSSLValidatesCertificateChain): kCFBooleanFalse,
        NSString(format: kCFStreamSSLPeerName): kCFNull,
        NSString(format: kCFStreamSSLCertificates): certs,
        NSString(format: kCFStreamSSLIsServer): kCFBooleanFalse
    ]

    CFReadStreamSetProperty(inputStream, kCFStreamPropertySSLSettings, sslSettings)
    CFWriteStreamSetProperty(outputStream, kCFStreamPropertySSLSettings, sslSettings)

    inputStream!.open()
    outputStream!.open()
}

func write(text: String) {
    let data = [UInt8](text.utf8)

    outputStream?.write(data, maxLength: data.count)
}

func CreateCertificateFromFile(filename: String, ext: String) -> SecCertificateRef? {
    var cert: SecCertificateRef!

    if let path = NSBundle.mainBundle().pathForResource(filename, ofType: ext) {

        let data = NSData(contentsOfFile: path)!

        cert = SecCertificateCreateWithData(kCFAllocatorDefault, data)!
    }
    else {

    }

    return cert
}

func deinitialise() {
    inputStream?.close()
    outputStream?.close()
}

}

I understand how SSL/TLS works and all since I have done this all fine in the Android version of this same app. I am just confused with the iOS implementation of SSL.

I am from a Java background and have been going with this problem for 3 weeks. Any help would be appreciated.

Prefer answers in Swift code, not Objective C but if you only have Obj C thats ok too :)

Improve this question

1 Answer 1

Reset to default
16

Ok I spent 8 weeks on this issue :( but i finally managed to put together a working solution. I must say that SSL/TLS on iOS is a joke. Java on Android leaves it for dead. It is completely ridiculous that in order to evaluate trust for a self signed certificate, you must disable certificate chain verification completely and do it yourself. Completely ridiculous. Anyway this is the fully working solution that connects to a remote socket server (no HTTP) using a self signed server certificate. Feel free to edit this answer to provide a better answer since I haven't had the change to add code for sending and receiving data yet :)

//  SecureSocket
//
//  Created by snapper26 on 2/9/16.
//  Copyright © 2016 snapper26. All rights reserved.
//
import Foundation

class ProXimityAPIClient: NSObject, StreamDelegate {

    // Input and output streams for socket
    var inputStream: InputStream?
    var outputStream: OutputStream?

    // Secondary delegate reference to prevent ARC deallocating the NSStreamDelegate
    var inputDelegate: StreamDelegate?
    var outputDelegate: StreamDelegate?

    // Add a trusted root CA to out SecTrust object
    func addAnchorToTrust(trust: SecTrust, certificate: SecCertificate) -> SecTrust {
        let array: NSMutableArray = NSMutableArray()

        array.add(certificate)

        SecTrustSetAnchorCertificates(trust, array)

        return trust
    }

    // Create a SecCertificate object from a DER formatted certificate file
    func createCertificateFromFile(filename: String, ext: String) -> SecCertificate {
        let rootCertPath = Bundle.main.path(forResource:filename, ofType: ext)

        let rootCertData = NSData(contentsOfFile: rootCertPath!)

        return SecCertificateCreateWithData(kCFAllocatorDefault, rootCertData!)!
    }

    // Connect to remote host/server
    func connect(host: String, port: Int) {
        // Specify host and port number. Get reference to newly created socket streams both in and out
        Stream.getStreamsToHost(withName:host, port: port, inputStream: &inputStream, outputStream: &outputStream)

        // Create strong delegate reference to stop ARC deallocating the object
        inputDelegate = self
        outputDelegate = self

        // Now that we have a strong reference, assign the object to the stream delegates
        inputStream!.delegate = inputDelegate
        outputStream!.delegate = outputDelegate

        // This doesn't work because of arc memory management. Thats why another strong reference above is needed.
        //inputStream!.delegate = self
        //outputStream!.delegate = self

        // Schedule our run loops. This is needed so that we can receive StreamEvents
        inputStream!.schedule(in:RunLoop.main, forMode: RunLoopMode.defaultRunLoopMode)
        outputStream!.schedule(in:RunLoop.main, forMode: RunLoopMode.defaultRunLoopMode)

        // Enable SSL/TLS on the streams
        inputStream!.setProperty(kCFStreamSocketSecurityLevelNegotiatedSSL, forKey:  Stream.PropertyKey.socketSecurityLevelKey)
        outputStream!.setProperty(kCFStreamSocketSecurityLevelNegotiatedSSL, forKey: Stream.PropertyKey.socketSecurityLevelKey)

        // Defin custom SSL/TLS settings
        let sslSettings : [NSString: Any] = [
            // NSStream automatically sets up the socket, the streams and creates a trust object and evaulates it before you even get a chance to check the trust yourself. Only proper SSL certificates will work with this method. If you have a self signed certificate like I do, you need to disable the trust check here and evaulate the trust against your custom root CA yourself.
            NSString(format: kCFStreamSSLValidatesCertificateChain): kCFBooleanFalse,
            //
            NSString(format: kCFStreamSSLPeerName): kCFNull,
            // We are an SSL/TLS client, not a server
            NSString(format: kCFStreamSSLIsServer): kCFBooleanFalse
        ]

        // Set the SSL/TLS settingson the streams
        inputStream!.setProperty(sslSettings, forKey:  kCFStreamPropertySSLSettings as Stream.PropertyKey)
        outputStream!.setProperty(sslSettings, forKey: kCFStreamPropertySSLSettings as Stream.PropertyKey)

        // Open the streams
        inputStream!.open()
        outputStream!.open()
    }

    // This is where we get all our events (haven't finished writing this class)
   func stream(_ aStream: Stream, handle eventCode: Stream.Event) {
        switch eventCode {
        case Stream.Event.endEncountered:
            print("End Encountered")
            break
        case Stream.Event.openCompleted:
            print("Open Completed")
            break
        case Stream.Event.hasSpaceAvailable:
            print("Has Space Available")

            // If you try and obtain the trust object (aka kCFStreamPropertySSLPeerTrust) before the stream is available for writing I found that the oject is always nil!
            var sslTrustInput: SecTrust? =  inputStream! .property(forKey:kCFStreamPropertySSLPeerTrust as Stream.PropertyKey) as! SecTrust?
            var sslTrustOutput: SecTrust? = outputStream!.property(forKey:kCFStreamPropertySSLPeerTrust as Stream.PropertyKey) as! SecTrust?

            if (sslTrustInput == nil) {
                print("INPUT TRUST NIL")
            }
            else {
                print("INPUT TRUST NOT NIL")
            }

            if (sslTrustOutput == nil) {
                print("OUTPUT TRUST NIL")
            }
            else {
                print("OUTPUT TRUST NOT NIL")
            }

            // Get our certificate reference. Make sure to add your root certificate file into your project.
            let rootCert: SecCertificate? = createCertificateFromFile(filename: "ca", ext: "der")

            // TODO: Don't want to keep adding the certificate every time???
            // Make sure to add your trusted root CA to the list of trusted anchors otherwise trust evaulation will fail
            sslTrustInput  = addAnchorToTrust(trust: sslTrustInput!,  certificate: rootCert!)
            sslTrustOutput = addAnchorToTrust(trust: sslTrustOutput!, certificate: rootCert!)

            // convert kSecTrustResultUnspecified type to SecTrustResultType for comparison
            var result: SecTrustResultType = SecTrustResultType.unspecified

            // This is it! Evaulate the trust.
            let error: OSStatus = SecTrustEvaluate(sslTrustInput!, &result)

            // An error occured evaluating the trust check the OSStatus codes for Apple at osstatus.com
            if (error != noErr) {
                print("Evaluation Failed")
            }

            if (result != SecTrustResultType.proceed && result != SecTrustResultType.unspecified) {
                // Trust failed. This will happen if you faile to add the trusted anchor as mentioned above
                print("Peer is not trusted :(")
            }
            else {
                // Peer certificate is trusted. Now we can send data. Woohoo!
                print("Peer is trusted :)")
            }

            break
        case Stream.Event.hasBytesAvailable:
            print("Has Bytes Available")
            break
        case Stream.Event.errorOccurred:
            print("Error Occured")
            break
        default:
            print("Default")
            break
        }
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks man, this is good stuff! I had already figured out the bulk of the sockets functionality, but this helped me get the SSL working.
I wish I had seen this when I was troubleshooting this whole thing in the beginning
Glad it helped you. Honestly the design decisions Apple makes for SSL are terrible. You should be able to add your own trusted root CA "BEFORE" the trust is evaluated :(
Thanks for your answer, it's really works. But I have one question. Why we should call all this code related to the SSL in the NSStreamEvent.HasSpaceAvailable? HasSpaceAvailable will be called every time when we send data to the server. Is it correct? Maybe we should use all this code(not only addAnchorToTrust) only one time in the NSStreamEvent.OpenCompleted?
@don-prog The reason why I evaluated the trust with hasSpaceAvailable rather than openCompleted was because the trust object (kCFStreamPropertySSLPeerTrust) was null. It seemed to me that the line (var sslTrustInput: SecTrust? = inputStream!.propertyForKey(kCFStreamPropertySSLPeerTrust as String) as! SecTrust) is still null when called on openCompleted. I understand what your saying about calling it everytime the server sends data. Have you tried to call that code in openCompleted and if so how did it go?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.