4

I'm working at a simple client that needs to connect to a socket. This socket requires SSL...I'm trying to configure the client to support SSL but I'm getting this error: 

CFNetwork SSLHandshake failed (-9807)

This is the code that I've written to configure the socket. Do you see anything strange/wrong? Also... the server is running on localhost and I'm running the iOS app on the simulator at the moment... may it be a problem? 

class MySocket:NSObject {

    var inputStream: InputStream!
    var outputStream: OutputStream!

    func setupStream(){

        var readStream: Unmanaged<CFReadStream>?
        var writeStream: Unmanaged<CFWriteStream>?

        CFStreamCreatePairWithSocketToHost(kCFAllocatorDefault,
                                           "127.0.0.1" as CFString,
                                           80,
                                           &readStream,
                                           &writeStream)

        inputStream = readStream!.takeRetainedValue()
        outputStream = writeStream!.takeRetainedValue()

        inputStream.delegate = self

        inputStream.schedule(in: .current, forMode: .common)
        outputStream.schedule(in: .current, forMode: .common)

    // SETTING SSL HERE
        inputStream.setProperty(kCFStreamSocketSecurityLevelNegotiatedSSL, forKey:  Stream.PropertyKey.socketSecurityLevelKey)
        outputStream.setProperty(kCFStreamSocketSecurityLevelNegotiatedSSL, forKey: Stream.PropertyKey.socketSecurityLevelKey)
    // END SSL SETUP

        inputStream.open()
        outputStream.open()

    }
}
Improve this question
12
  • Are you sure your localhost server serves TCP over SSL on port 80 and not 443? Commented Nov 1, 2019 at 1:28
  • @jms yes actually the port is a custom port.... I've written port 80 on this example, but we are using a custom port. Commented Nov 4, 2019 at 13:02
  • Can you confirm that your server successfully servers secure content over ssl to other clients and this is only a swift issue so I can look more into it? (if you are worried about 127.0.0.1 then connect to another public network and use its interface ip-address from ifconfig) Commented Nov 5, 2019 at 0:17
  • @jms yes I can confirm that it works on other clients (I have a very simple python script that can connect to the server and send and receive data). Commented Nov 5, 2019 at 10:18
  • I think you are setting the SSL properties in the wrong places. Work with the CFStream API instead of the low level I/O Stream. The following link shows you how to set properties to a CFStream developer.apple.com/documentation/corefoundation/cfstream/… Commented Nov 7, 2019 at 0:42

1 Answer 1

Reset to default
1

I have been reviewing the library SocketRocket to check your code. The library is implemented in Objective-C but you can use it as a reference.

In that library, in the code to update the options for secure stream I have observed that it only updates the kCFStreamSocketSecurityLevelNegotiatedSSL for the outputStream.

- (void)_updateSecureStreamOptions {
    if (_secure) {
        NSMutableDictionary *SSLOptions = [[NSMutableDictionary alloc] init];

        /*ONLY FOR OUTPUT STREAM*/
        [_outputStream setProperty:(__bridge id)kCFStreamSocketSecurityLevelNegotiatedSSL forKey:(__bridge id)kCFStreamPropertySocketSecurityLevel];

        // If we're using pinned certs, don't validate the certificate chain
        if ([_urlRequest SR_SSLPinnedCertificates].count) {
            [SSLOptions setValue:@NO forKey:(__bridge id)kCFStreamSSLValidatesCertificateChain];
        }

  #if DEBUG
        self.allowsUntrustedSSLCertificates = YES;
  #endif

        if (self.allowsUntrustedSSLCertificates) {
            [SSLOptions setValue:@NO forKey:(__bridge id)kCFStreamSSLValidatesCertificateChain];
            SRFastLog(@"Allowing connection to any root cert");
        }

        [_outputStream setProperty:SSLOptions
                            forKey:(__bridge id)kCFStreamPropertySSLSettings];
    }

    _inputStream.delegate = self;
    _outputStream.delegate = self;

    [self setupNetworkServiceType:_urlRequest.networkServiceType];
}

I hope that it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.