我正在尝试使用带有Apple安全传输API的TLS 1.2将iOS客户端连接到OS X服务器。我的BSD套接字通信工作正常,我在使用TLS包装时遇到了很多麻烦。据Wireshark的输出我所知,SSL握手甚至没有真正开始,所以我可能在一方或另一方面错误地设置了SSL,但我不确定我做错了什么
服务器端:
void establish_connection(int sockfd) {
SSLContexRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
SSLSetConnection(sslContext, (SSLConnectionRef)(long)sockfd);
SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);
// Get self-signed certificate from p12 data
CFDataRef cert_data = CFDataCreate(kCFAllocatorDefault, cert_p12, cert_p12_len);
CFArrayRef items = NULL;
const void *options_keys[] = { kSecImportExportPassphrase };
const void *options_values[] = { CFSTR("password") };
CFDictionaryRef options = CFDictionaryCreate(kCFAllocatorDefault, options_keys, options_values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
SecPKCS12Import(cert_data, options, &items);
CFRelease(options);
CFDictionaryRef item = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity);
CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **)&identity, 1, NULL);
SSLSetCertificate(sslContext, certs);
// Fails with errSSLProtocol
SSLHandshake(sslContext);
...
}
客户方:
void establish_connection(int server_sockfd) {
SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
SSLSetConnection(sslContext, (SSLConnectionRef)server_sockfd);
SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);
// Fails with errSSLProtocol
SSLHandshake(sslContext);
...
}
Wireshark转储尝试握手:
Source Destination Protocol Length Info
client server TCP 78 50743 > 49754 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=16 TSval=365690143 TSecr=0 SACK_PERM=1
server client TCP 78 49754 > 50743 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=16 TSval=666304222 TSecr=365690143 SACK_PERM=1
client server TCP 66 50743 > 49754 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=365690468 TSecr=666304222
server client TCP 66 [TCP Window Update] 49754 > 50743 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304252 TSecr=365690468
server client TCP 66 49754 > 50743 [FIN, ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304281 TSecr=365690468
client server TCP 66 50743 > 49754 [ACK] Seq=1 Ack=2 Win=131760 Len=0 TSval=365690498 TSecr=666304281
server client TCP 66 [TCP Dup ACK 9099#1] 49754 > 50743 [ACK] Seq=2 Ack=1 Win=131760 Len=0 TSval=666304283 TSecr=365690498
使用Wireshark尝试诊断问题,我甚至没有看到任何SSL握手消息。我看到TCP连接已建立,然后立即关闭,没有长度大于0的数据包。我能做错什么?
答案 0 :(得分:4)
看起来问题是我的IO功能实现不正确。我正在粘贴似乎有效的套接字IO函数,但IO函数的要求并没有很好地记录,所以我可能会遗漏一些东西。
OSStatus readFromSocket(SSLConnectionRef connection, void *data, size_t *dataLength) {
int sockfd = (int)connection;
size_t bytesRequested = *dataLength;
ssize_t status = read(sockfd, data, bytesRequested);
if (status > 0) {
*dataLength = status;
if (bytesRequested > *dataLength)
return errSSLWouldBlock;
else
return noErr;
} else if (0 == status) {
*dataLength = 0;
return errSSLClosedGraceful;
} else {
*dataLength = 0;
switch (errno) {
case ENOENT:
return errSSLClosedGraceful;
case EAGAIN:
return errSSLWouldBlock;
case ECONNRESET:
return errSSLClosedAbort;
default:
return errSecIO;
}
return noErr;
}
}
OSStatus writeToSocket(SSLConnectionRef connection, const void *data, size_t *dataLength) {
int sockfd = (int)connection;
size_t bytesToWrite = *dataLength;
ssize_t status = write(sockfd, data, bytesToWrite);
if (status > 0) {
*dataLength = status;
if (bytesToWrite > *dataLength)
return errSSLWouldBlock;
else
return noErr;
} else if (0 == status) {
*dataLength = 0;
return errSSLClosedGraceful;
} else {
*dataLength = 0;
if (EAGAIN == errno) {
return errSSLWouldBlock;
} else {
return errSecIO;
}
}
}