我正在尝试使用苹果的Secure Transport API,将iOS客户端与OS X服务器连接到TLS 1.2。我已经成功地实现了BSD套接字通信,并且在使用TLS时遇到了很多问题。从Wireshark的输出中可以看出,SSL握手甚至没有真正开始,因此可能是我在一侧或另一侧错误地设置了SSL,但我不确定我可能犯了什么错误。
服务器端:
void establish_connection(int sockfd) {
SSLContexRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
SSLSetConnection(sslContext, (SSLConnectionRef)(long)sockfd);
SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);
// Get self-signed certificate from p12 data
CFDataRef cert_data = CFDataCreate(kCFAllocatorDefault, cert_p12, cert_p12_len);
CFArrayRef items = NULL;
const void *options_keys[] = { kSecImportExportPassphrase };
const void *options_values[] = { CFSTR("password") };
CFDictionaryRef options = CFDictionaryCreate(kCFAllocatorDefault, options_keys, options_values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
SecPKCS12Import(cert_data, options, &items);
CFRelease(options);
CFDictionaryRef item = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity);
CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **)&identity, 1, NULL);
SSLSetCertificate(sslContext, certs);
// Fails with errSSLProtocol
SSLHandshake(sslContext);
...
}
客户端:
void establish_connection(int server_sockfd) {
SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
SSLSetConnection(sslContext, (SSLConnectionRef)server_sockfd);
SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);
// Fails with errSSLProtocol
SSLHandshake(sslContext);
...
}
Wireshark对尝试握手的转储:
Source Destination Protocol Length Info
client server TCP 78 50743 > 49754 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=16 TSval=365690143 TSecr=0 SACK_PERM=1
server client TCP 78 49754 > 50743 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=16 TSval=666304222 TSecr=365690143 SACK_PERM=1
client server TCP 66 50743 > 49754 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=365690468 TSecr=666304222
server client TCP 66 [TCP Window Update] 49754 > 50743 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304252 TSecr=365690468
server client TCP 66 49754 > 50743 [FIN, ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304281 TSecr=365690468
client server TCP 66 50743 > 49754 [ACK] Seq=1 Ack=2 Win=131760 Len=0 TSval=365690498 TSecr=666304281
server client TCP 66 [TCP Dup ACK 9099#1] 49754 > 50743 [ACK] Seq=2 Ack=1 Win=131760 Len=0 TSval=666304283 TSecr=365690498
使用Wireshark来尝试诊断问题,但我甚至没有看到任何SSL握手消息。我看到TCP连接建立,然后立即关闭,并且没有长度大于0的数据包。我可能做错了什么?