You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@thrift.apache.org by Jools <jo...@gmail.com> on 2014/01/01 12:11:38 UTC
Re: iOS SSL Thrift Connection
Hi Ted,
It really depends on the environment you are working in, where the clients
and servers are located and how you go about testing the code in your
development environment.
You really need to make some time to understand how SSL works (Just google
it, there are lots of very well written pages) and map them back to the
StreamSocket settings.
If the data is sensitive, then get some input from the business as they may
have contractual obligations which relate to how the data is transmitted.
Hope that helps !
--Jools
On 31 December 2013 20:23, Ted Rogers <te...@gmail.com> wrote:
> Jools,
>
> Thanks for your help.
>
> I do have another question. I have been searching for examples of setting
> up SSL with sockets on iOS and they all have similar code which concerns me
> because it seems to reduce the security.
>
> After setting the NSStreamSocketSecurityLevelKey property, they also
> configure these settings like this:
>
> NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
> [NSNumber numberWithBool:YES],
> kCFStreamSSLAllowsExpiredCertificates,
> [NSNumber numberWithBool:YES],
> kCFStreamSSLAllowsAnyRoot,
> [NSNumber numberWithBool:NO],
> kCFStreamSSLValidatesCertificateChain,
> kCFNull,kCFStreamSSLPeerName,
> nil];
> CFReadStreamSetProperty((CFReadStreamRef)inputStream,
> kCFStreamPropertySSLSettings, (CFTypeRef)settings);
> CFWriteStreamSetProperty((CFWriteStreamRef)outputStream,
> kCFStreamPropertySSLSettings, (CFTypeRef)settings);
>
> Do you know whether I should be messing with any of these settings or just
> leave them at their default value?
>
> Ted
>
> -----Original Message-----
> From: Jools [mailto:joolski@gmail.com]
> Sent: Tuesday, December 31, 2013 1:33 AM
> To: user@thrift.apache.org
> Subject: Re: iOS SSL Thrift Connection
>
> Ted,
>
> I'm still using .6, as we've hacked it about so much I've not had time to
> merge my changes forward.
>
> I was just curious which version you are using.
>
> Best of luck, if you hit any issues post back here and I'm sure we'll be
> able to help.
>
> Cheers,
>
> --Jools
>
>
>
> On 30 December 2013 21:52, Ted Rogers <te...@gmail.com> wrote:
>
> > Jools,
> >
> > Not sure of current version as I can't find the version number in the
> > source or headers but I figured I would make sure I was using the
> > latest which I believe is 0.9.1.
> >
> > Is there a reason to do more than setting the stream properties?
> >
> > Ted
> >
> > -----Original Message-----
> > From: Jools [mailto:joolski@gmail.com]
> > Sent: Monday, December 30, 2013 3:01 PM
> > To: user@thrift.apache.org
> > Subject: Re: iOS SSL Thrift Connection
> >
> > Hi Ted,
> >
> > Yes, you can alter the stream properties to introduce SSL handshaking.
> >
> > Which version of thrift are you using ?
> >
> > --Jools
> >
> >
> >
> >
> > On 30 December 2013 19:31, Ted Rogers <te...@gmail.com> wrote:
> >
> > > Jools,
> > >
> > > Thanks for the response. I am also using TNSFramedTransport. I
> > > inherited this code so I am hanging on by my fingertips. :) After
> > > doing some more research I was wondering whether it was enough to
> > > just set the security level on the streams before opening them by
> > > setting the NSStreamSocketSecurityLevelKey and
> > > kCFStreamPropertySSLSettings properties on the streams in
> TSocketClient.
> > > I assume that is not enough?
> > > Ted
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, Dec 30, 2013 at 2:11 PM, Jools <jo...@gmail.com> wrote:
> > >
> > > > Hi Ted,
> > > >
> > > > I hit this exact problem a while back, and ended up creating a my
> > > > own transport using GCDAsyncSocket, as I also needed SSL support
> > > > along with Framed Transport.
> > > >
> > > > See https://github.com/robbiehanson/CocoaAsyncSocket for more
> > > information
> > > > on this rather nifty library.
> > > >
> > > > If you'd like access to the code, let me know and I'd be happy to
> > > > post it up.
> > > >
> > > > Regards,
> > > >
> > > > --Kools
> > > >
> > > >
> > > > On 30 December 2013 17:07, Ted Rogers <te...@gmail.com> wrote:
> > > >
> > > > >
> > > > > I'm looking to secure an existing Thrift connection using SSL.
> > > > > I see libraries for doing this with Java using
> > > > > TSSLTransportFactory but I
> > > don't
> > > > > see any Cocoa source for this.
> > > > >
> > > > > Any suggestions on how I go about doing this?
> > > > >
> > > > > Ted
> > > >
> > >
> >
> >
>
>
Re: iOS SSL Thrift Connection
Posted by Jools <jo...@gmail.com>.
Excellent news Ted, glad you are all up and running.
Cheers,
--J
On 7 January 2014 15:30, Ted Rogers <te...@gmail.com> wrote:
> Hey Jools,
>
> Thanks for your help on this. I decided to go with the defaults for all
> the
> settings for now and things seem to be working fine.
>
> Ted
>
> -----Original Message-----
> From: Jools [mailto:joolski@gmail.com]
> Sent: Wednesday, January 01, 2014 6:12 AM
> To: user@thrift.apache.org
> Subject: Re: iOS SSL Thrift Connection
>
> Hi Ted,
>
> It really depends on the environment you are working in, where the clients
> and servers are located and how you go about testing the code in your
> development environment.
>
> You really need to make some time to understand how SSL works (Just google
> it, there are lots of very well written pages) and map them back to the
> StreamSocket settings.
>
> If the data is sensitive, then get some input from the business as they may
> have contractual obligations which relate to how the data is transmitted.
>
> Hope that helps !
>
> --Jools
>
>
>
>
> On 31 December 2013 20:23, Ted Rogers <te...@gmail.com> wrote:
>
> > Jools,
> >
> > Thanks for your help.
> >
> > I do have another question. I have been searching for examples of
> > setting up SSL with sockets on iOS and they all have similar code
> > which concerns me because it seems to reduce the security.
> >
> > After setting the NSStreamSocketSecurityLevelKey property, they also
> > configure these settings like this:
> >
> > NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
> > [NSNumber numberWithBool:YES],
> > kCFStreamSSLAllowsExpiredCertificates,
> > [NSNumber numberWithBool:YES],
> > kCFStreamSSLAllowsAnyRoot,
> > [NSNumber numberWithBool:NO],
> > kCFStreamSSLValidatesCertificateChain,
> > kCFNull,kCFStreamSSLPeerName,
> > nil];
> > CFReadStreamSetProperty((CFReadStreamRef)inputStream,
> > kCFStreamPropertySSLSettings, (CFTypeRef)settings);
> > CFWriteStreamSetProperty((CFWriteStreamRef)outputStream,
> > kCFStreamPropertySSLSettings, (CFTypeRef)settings);
> >
> > Do you know whether I should be messing with any of these settings or
> > just leave them at their default value?
> >
> > Ted
> >
> > -----Original Message-----
> > From: Jools [mailto:joolski@gmail.com]
> > Sent: Tuesday, December 31, 2013 1:33 AM
> > To: user@thrift.apache.org
> > Subject: Re: iOS SSL Thrift Connection
> >
> > Ted,
> >
> > I'm still using .6, as we've hacked it about so much I've not had time
> > to merge my changes forward.
> >
> > I was just curious which version you are using.
> >
> > Best of luck, if you hit any issues post back here and I'm sure we'll
> > be able to help.
> >
> > Cheers,
> >
> > --Jools
> >
> >
> >
> > On 30 December 2013 21:52, Ted Rogers <te...@gmail.com> wrote:
> >
> > > Jools,
> > >
> > > Not sure of current version as I can't find the version number in
> > > the source or headers but I figured I would make sure I was using
> > > the latest which I believe is 0.9.1.
> > >
> > > Is there a reason to do more than setting the stream properties?
> > >
> > > Ted
> > >
> > > -----Original Message-----
> > > From: Jools [mailto:joolski@gmail.com]
> > > Sent: Monday, December 30, 2013 3:01 PM
> > > To: user@thrift.apache.org
> > > Subject: Re: iOS SSL Thrift Connection
> > >
> > > Hi Ted,
> > >
> > > Yes, you can alter the stream properties to introduce SSL handshaking.
> > >
> > > Which version of thrift are you using ?
> > >
> > > --Jools
> > >
> > >
> > >
> > >
> > > On 30 December 2013 19:31, Ted Rogers <te...@gmail.com> wrote:
> > >
> > > > Jools,
> > > >
> > > > Thanks for the response. I am also using TNSFramedTransport. I
> > > > inherited this code so I am hanging on by my fingertips. :) After
> > > > doing some more research I was wondering whether it was enough to
> > > > just set the security level on the streams before opening them by
> > > > setting the NSStreamSocketSecurityLevelKey and
> > > > kCFStreamPropertySSLSettings properties on the streams in
> > TSocketClient.
> > > > I assume that is not enough?
> > > > Ted
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Dec 30, 2013 at 2:11 PM, Jools <jo...@gmail.com> wrote:
> > > >
> > > > > Hi Ted,
> > > > >
> > > > > I hit this exact problem a while back, and ended up creating a
> > > > > my own transport using GCDAsyncSocket, as I also needed SSL
> > > > > support along with Framed Transport.
> > > > >
> > > > > See https://github.com/robbiehanson/CocoaAsyncSocket for more
> > > > information
> > > > > on this rather nifty library.
> > > > >
> > > > > If you'd like access to the code, let me know and I'd be happy
> > > > > to post it up.
> > > > >
> > > > > Regards,
> > > > >
> > > > > --Kools
> > > > >
> > > > >
> > > > > On 30 December 2013 17:07, Ted Rogers <te...@gmail.com> wrote:
> > > > >
> > > > > >
> > > > > > I'm looking to secure an existing Thrift connection using SSL.
> > > > > > I see libraries for doing this with Java using
> > > > > > TSSLTransportFactory but I
> > > > don't
> > > > > > see any Cocoa source for this.
> > > > > >
> > > > > > Any suggestions on how I go about doing this?
> > > > > >
> > > > > > Ted
> > > > >
> > > >
> > >
> > >
> >
> >
>
>
RE: iOS SSL Thrift Connection
Posted by Ted Rogers <te...@gmail.com>.
Hey Jools,
Thanks for your help on this. I decided to go with the defaults for all the
settings for now and things seem to be working fine.
Ted
-----Original Message-----
From: Jools [mailto:joolski@gmail.com]
Sent: Wednesday, January 01, 2014 6:12 AM
To: user@thrift.apache.org
Subject: Re: iOS SSL Thrift Connection
Hi Ted,
It really depends on the environment you are working in, where the clients
and servers are located and how you go about testing the code in your
development environment.
You really need to make some time to understand how SSL works (Just google
it, there are lots of very well written pages) and map them back to the
StreamSocket settings.
If the data is sensitive, then get some input from the business as they may
have contractual obligations which relate to how the data is transmitted.
Hope that helps !
--Jools
On 31 December 2013 20:23, Ted Rogers <te...@gmail.com> wrote:
> Jools,
>
> Thanks for your help.
>
> I do have another question. I have been searching for examples of
> setting up SSL with sockets on iOS and they all have similar code
> which concerns me because it seems to reduce the security.
>
> After setting the NSStreamSocketSecurityLevelKey property, they also
> configure these settings like this:
>
> NSDictionary *settings = [[NSDictionary alloc] initWithObjectsAndKeys:
> [NSNumber numberWithBool:YES],
> kCFStreamSSLAllowsExpiredCertificates,
> [NSNumber numberWithBool:YES],
> kCFStreamSSLAllowsAnyRoot,
> [NSNumber numberWithBool:NO],
> kCFStreamSSLValidatesCertificateChain,
> kCFNull,kCFStreamSSLPeerName,
> nil];
> CFReadStreamSetProperty((CFReadStreamRef)inputStream,
> kCFStreamPropertySSLSettings, (CFTypeRef)settings);
> CFWriteStreamSetProperty((CFWriteStreamRef)outputStream,
> kCFStreamPropertySSLSettings, (CFTypeRef)settings);
>
> Do you know whether I should be messing with any of these settings or
> just leave them at their default value?
>
> Ted
>
> -----Original Message-----
> From: Jools [mailto:joolski@gmail.com]
> Sent: Tuesday, December 31, 2013 1:33 AM
> To: user@thrift.apache.org
> Subject: Re: iOS SSL Thrift Connection
>
> Ted,
>
> I'm still using .6, as we've hacked it about so much I've not had time
> to merge my changes forward.
>
> I was just curious which version you are using.
>
> Best of luck, if you hit any issues post back here and I'm sure we'll
> be able to help.
>
> Cheers,
>
> --Jools
>
>
>
> On 30 December 2013 21:52, Ted Rogers <te...@gmail.com> wrote:
>
> > Jools,
> >
> > Not sure of current version as I can't find the version number in
> > the source or headers but I figured I would make sure I was using
> > the latest which I believe is 0.9.1.
> >
> > Is there a reason to do more than setting the stream properties?
> >
> > Ted
> >
> > -----Original Message-----
> > From: Jools [mailto:joolski@gmail.com]
> > Sent: Monday, December 30, 2013 3:01 PM
> > To: user@thrift.apache.org
> > Subject: Re: iOS SSL Thrift Connection
> >
> > Hi Ted,
> >
> > Yes, you can alter the stream properties to introduce SSL handshaking.
> >
> > Which version of thrift are you using ?
> >
> > --Jools
> >
> >
> >
> >
> > On 30 December 2013 19:31, Ted Rogers <te...@gmail.com> wrote:
> >
> > > Jools,
> > >
> > > Thanks for the response. I am also using TNSFramedTransport. I
> > > inherited this code so I am hanging on by my fingertips. :) After
> > > doing some more research I was wondering whether it was enough to
> > > just set the security level on the streams before opening them by
> > > setting the NSStreamSocketSecurityLevelKey and
> > > kCFStreamPropertySSLSettings properties on the streams in
> TSocketClient.
> > > I assume that is not enough?
> > > Ted
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Mon, Dec 30, 2013 at 2:11 PM, Jools <jo...@gmail.com> wrote:
> > >
> > > > Hi Ted,
> > > >
> > > > I hit this exact problem a while back, and ended up creating a
> > > > my own transport using GCDAsyncSocket, as I also needed SSL
> > > > support along with Framed Transport.
> > > >
> > > > See https://github.com/robbiehanson/CocoaAsyncSocket for more
> > > information
> > > > on this rather nifty library.
> > > >
> > > > If you'd like access to the code, let me know and I'd be happy
> > > > to post it up.
> > > >
> > > > Regards,
> > > >
> > > > --Kools
> > > >
> > > >
> > > > On 30 December 2013 17:07, Ted Rogers <te...@gmail.com> wrote:
> > > >
> > > > >
> > > > > I'm looking to secure an existing Thrift connection using SSL.
> > > > > I see libraries for doing this with Java using
> > > > > TSSLTransportFactory but I
> > > don't
> > > > > see any Cocoa source for this.
> > > > >
> > > > > Any suggestions on how I go about doing this?
> > > > >
> > > > > Ted
> > > >
> > >
> >
> >
>
>