How can we tell a CFStream to use a set of anchor certificates?
https://stackoverflow.com/questions/4668878
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian문제
I know we can use SecTrustSetAnchorCertificates() given a SecTrustRef. But with CFStreams, we can get the trust object only after the hand shake. One workaround seems to be to disable certificate chain verification on the CFStream using the kCFStreamSSLValidatesCertificateChain property and then get the peer certificates using kCFStreamPropertySSLPeerCertificates, create a trust from those certificates and evaluate the trust ourselves.
But it would be a lot cleaner if we could just tell CFStream to use an array of certs as anchor. Am I hoping for too much?
해결책
eskimo1 from Apple Devforums answered this so:
First, disable automatic trust evaluation using kCFStreamSSLValidatesCertificateChain.
Second, once the stream is up and running (I typically do this in my 'can accept bytes' or 'has bytes available' message handling), get the SecTrust object from the stream using kCFStreamPropertySSLPeerTrust and evaluate that trust for yourself. If the trust evaluation fails, tear down the stream.
