Added an optional URL with a path to a local DER-encocded certificate. When allowing self-signed certificates, the embedded certificate is loaded as an Anchor Certificate and validated using SecTrustEvaluateWithError()

Description

For the user, the only interface change is an optional URL in the Configuration init() method. If not set, the previous behavior is maintained. When the URL is set to a file, and the user has allowed self-signed certificates and is a client, then during the SSLHandshake the server presented trust is validated against the embedded certificate. The certificate must be a DER encoded X.509 certificate.

Motivation and Context

I am using BlueSSLService on iOS to connect securely to a server that uses its own root certificate, but I would like to validate the certificate. Previously, you can only accept any server supplied certificate, or the server certificate must be trusted by iOS. (There's no way to programmatically add the certificate to iOS keychain, you must go through a process to have the user install from a browser). If I have the public certificate of the server embedded in the app, I can use this feature to validate it.

How Has This Been Tested?

This is an iOS feature only - not implemented on Linux. I verified that when the URL is set to nil, the behavior is unchanged - I can successfully connect to my server when self-signed is true, and I get an errSSLXCertChainInvalid error when self-signed is false. If I embed by server certificate in the app and load it as follows

let path = Bundle.main.url(forResource: "cert", withExtension: ".der") Then it successfully establishes the SSL connection. If I use a different (dummy) certificate, I again get the errSSLXCertChainInvalid error.

Note that in order to compile I needed to use

`swift build -Xswiftc "-target" -Xswiftc "x86_64-apple-macosx10.14"

because SecTrustEvaluateWithError is a 10.14 feature.

Checklist:

• [ ] I have submitted a CLA form
• [ ] If applicable, I have updated the documentation accordingly.
• [ ] If applicable, I have added tests to cover my changes.

Right now the library assumes a file that contains the certificate. It would be helpful to have the library also take a String that's Base64 encoded, as well. Bluemix users will receive a Base64 string for their certificate through the Bluemix environment variables to be used to connect with MongoDB, for instance.

Hi

I got a connection between my server and client using a key chain, the server says the user is signed in, but the app is frozen completely.

The console just gives me..

subsystem: com.apple.securityd, category: SecError, enable_level: 0, persist_level: 0, default_ttl: 0, info_ttl: 0, debug_ttl: 0, generate_symptoms: 0, enable_oversize: 0, privacy_setting: 2, enable_private_data: 0

but i think thats just xcode 8...

It doenst actually crash, its in some kind of frozen state.

If the server cancels the connection while "connected but frozen" i actually get a console output saying : Error code: -9806, ERROR: SSLHandshake, code: -9806, reason: errSSLClosedAbort

App still frozen

I am really out of any ideas now.. Any idea what went wrong?

EDIT: i debuged my project and came to the conclusion that the app fleezes at this spot in SSLService.swift:

private func prepareConnection(socket: Socket) throws {

..

repeat {

            status = SSLHandshake(sslContext)

        } while status == errSSLWouldBlock

...

Detail in this Kitura issue: https://github.com/IBM-Swift/Kitura/issues/1143

An incoming connection that establishes a TCP session but then sends no data will block the server from accepting connections indefinitely.

Steps to recreate:

• Start the server, make some SSL requests (demonstrate it is functional)
• Connect a rogue client, eg: telnet localhost 8443 and leave it doing nothing
• Try to make further requests. The server appears to be unresponsive

The problem seems to be that SSL_accept blocks, expecting to read the start of an SSL handshake from the client, which will never time out or allow the server to continue accepting connections. In the Kitura issue above, we block here: https://github.com/IBM-Swift/BlueSSLService/blob/335495c857b7062ecf7e228d8e021d0f7d51c5c9/Sources/SSLService.swift#L493

It looks like the Apple App Transport Security list of ciphers are not supported currently. By default App Transport Security is enabled and requires the following list of ciphers that support PFS.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I built a Kitura-1.6.1 service on Ubuntu-14.01 and using nmap probe I get the below list of ciphers. Trying to connect using URLSession reports a "no shared ciphers available" error.

|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A

I can't seem to find any stack overflow or github issues related to this. Is this a new bug or am i just missing something obvious ?

I'm getting the following errors, on Fedora26, which uses OpenSSL v1.1.0:

/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:318:54: error: use of undeclared type 'SSL'
                public private(set) var cSSL: UnsafeMutablePointer<SSL>? = nil
                                                                   ^~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:322:49: error: use of undeclared type 'SSL_METHOD'
                public private(set) var method: UnsafePointer<SSL_METHOD>? = nil
                                                              ^~~~~~~~~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:325:57: error: use of undeclared type 'SSL_CTX'
                public private(set) var context: UnsafeMutablePointer<SSL_CTX>? = nil
                                                                      ^~~~~~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:1120:80: error: use of undeclared type 'SSL'
        private func prepareConnection(socket: Socket) throws -> UnsafeMutablePointer<SSL> {
                                                                                      ^~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:405:5: error: use of unresolved identifier 'SSL_library_init'
                                SSL_library_init()
                                ^~~~~~~~~~~~~~~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:406:5: error: use of unresolved identifier 'SSL_load_error_strings'
                                SSL_load_error_strings()
                                ^~~~~~~~~~~~~~~~~~~~~~
OpenSSL.ERR_lib_error_string:1:13: note: did you mean 'ERR_lib_error_string'?
public func ERR_lib_error_string(_ e: UInt) -> UnsafePointer<Int8>!
            ^
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:407:5: warning: 'OPENSSL_config' is deprecated
                                OPENSSL_config(nil)
                                ^
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:408:5: error: use of unresolved identifier 'OPENSSL_add_all_algorithms_conf'
                                OPENSSL_add_all_algorithms_conf()
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:415:19: error: use of unresolved identifier 'SSLv23_server_method'
                                self.method = SSLv23_server_method()
                                              ^~~~~~~~~~~~~~~~~~~~
OpenSSL.SSLv3_server_method:2:13: note: did you mean 'SSLv3_server_method'?
public func SSLv3_server_method() -> OpaquePointer!
            ^
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:419:19: error: use of unresolved identifier 'SSLv23_client_method'
                                self.method = SSLv23_client_method()
                                              ^~~~~~~~~~~~~~~~~~~~
OpenSSL.SSLv3_client_method:2:13: note: did you mean 'SSLv3_client_method'?
public func SSLv3_client_method() -> OpaquePointer!
            ^
/homer/leif/swift/Kitura/.build/checkouts/BlueSSLService.git--774207894858193348/Sources/SSLService.swift:853:27: error: use of unresolved identifier 'SSL_CTRL_OPTIONS'
                                SSL_CTX_ctrl(context, SSL_CTRL_OPTIONS, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION, nil)
                                                      ^~~~~~~~~~~~~~~~
OpenSSL.SSL_CTRL_CHAIN:1:12: note: did you mean 'SSL_CTRL_CHAIN'?
public var SSL_CTRL_CHAIN: Int32 { get }
           ^
OpenSSL.SSL_CTRL_SET_MTU:1:12: note: did you mean 'SSL_CTRL_SET_MTU'?
public var SSL_CTRL_SET_MTU: Int32 { get }
           ^
error: terminated(1): /opt/swift/usr/bin/swift-build-tool -f /homer/leif/swift/Kitura/.build/debug.yaml

Adds support for ALPN using the new SecureTransport APIs in the fall 2017 OS releases.

Description

I've made the static & member ALPN-related variables available to all, not just Linux, and I've added a static Boolean variable which can be used to check whether ALPN is available at all. On Linux it returns true, on Apple platforms it returns true only if on 10.13/11.0/4.0 or above, via the Swift #available() expression.

Most of the work happens in two new private Apple-only functions, marked as @available only on the above OS revisions. Before the call to SSLHandshake() we take the available ALPN protocols and attach them to the context via SSLSetALPNProtocols(). After the handshake completes, we scan the list from the peer via SSLCopyALPNProtocols(), comparing against our list. The first match is set as our negotiatedALPNProtocol.

Motivation and Context

This should enable the Kitura HTTP2 module to function correctly on macOS and friends, since at present it's Linux-only due to the lack of ALPN.

How Has This Been Tested?

I have no idea how to test this. Apparently there are no unit tests for this project at all? Perhaps someone who's tested the Linux ALPN code can point me at something they used for that?

Checklist:

• [x] I have submitted a CLA form
• [ ] If applicable, I have updated the documentation accordingly.
• [ ] If applicable, I have added tests to cover my changes.

It is not possible to build an Kitura application under Linux using IBM`s Linux docker (Ubuntu 14.04 and Swift 4.2) when BlueSSLService is included alongside Kitura.

Interestingly enough, theres no problem on macOS, probably related to a fact that some of the Kitura packages uses OpenSSL only for Linux builds.

Output: 'OpenSSL' /root/VojacekJan/.build/checkouts/OpenSSL.git-8485872258080618489: warning: Ignoring declared target(s) 'OpenSSL' in the system package error: multiple targets named 'OpenSSL' in: OpenSSL, SSLService

Packages: ` import PackageDescription

let package = Package( name: "Name", products: [ .executable(name: "Name", targets: ["Name"]), ], dependencies: [ .package(url: "https://github.com/IBM-Swift/Kitura.git", from: "2.5.3"), .package(url: "https://github.com/IBM-Swift/HeliumLogger", from: "1.7.1"), .package(url: "https://github.com/IBM-Swift/Kitura-Session.git", from: "3.2.0"), .package(url: "https://github.com/thevojacek/Kitura-MiniHandlebars", from: "1.2.2"), .package(url: "https://github.com/OpenKitten/MongoKitten", from: "4.1.3"), .package(url: "https://github.com/thevojacek/Kitura-MongoDbSessionStore", from: "0.2.2"), .package(url: "https://github.com/IBM-Swift/Swift-JWT", from: "2.0.0"), .package(url: "https://github.com/krzyzanowskim/CryptoSwift", from: "0.12.0") ], targets: [ .target( name: "Name", dependencies: [ "Kitura", "HeliumLogger", "Kitura-MiniHandlebars", "KituraSession", "MongoKitten", "Kitura-MongoDbSessionStore", "SwiftJWT", "CryptoSwift" ]), ] ) `

Any help is much appreciated.

Application-Layer Protocol Negotiation (ALPN) is a TLS extension allows the application-layer to negotiate which protocol will by used over the secured socket. The main motivation for adding this support to BlueSSLService is to add support for HTTP/2 which uses this extension to choose the newer version of HTTP over the older ones.

Description

This PR follows the BlueSocket PR #67 that added new field/function to the SSLServiceDelegate protocol.

In this PR the implementation uses the OpenSSL API to register callback functions that will negotiate for a protocol based on ALPN information arriving from the client within the ClientHello message. The implementation tries to match a supported protocol from the availableAlpnProtocols list with the protocols requested by the client. If it will find a match the response will be sent back to the client and the selected protocol will be set in the negotiatedAlpnProtocol field.

Because of limitations of the Apple Secure Transport it is still unclear how and if ALPN negotiation is possible on MacOS. In this PR we only support the Linux environment by integrating with the OpenSSL API.

Motivation and Context

The main motivation for adding this support to BlueSSLService is to add support for HTTP/2 which uses this extension to choose the newer version of HTTP over the older ones.

How Has This Been Tested?

It has been tested with broader changes to Kitura-net and a new package under development for adding HTTP/2 support to Kitura.

Checklist:

• [ ] I have submitted a CLA form
• [ ] If applicable, I have updated the documentation accordingly.
• [ ] If applicable, I have added tests to cover my changes.

Using the following package.swift file:

import PackageDescription let package = Package( name: "project5", dependencies: [ .Package(url: "https://github.com/IBM-Swift/Kitura.git",majorVersion: 1), .Package(url: "https://github.com/IBM-Swift/Kitura-StencilTemplateEngine.git", majorVersion: 1), .Package(url: "https://github.com/IBM-Swift/HeliumLogger.git", majorVersion: 1) > ] )

running 'swift build' gets stuck on the following and the swift build process

Fetching https://github.com/IBM-Swift/Kitura.git Fetching https://github.com/IBM-Swift/Kitura-StencilTemplateEngine.git Fetching https://github.com/IBM-Swift/HeliumLogger.git Fetching https://github.com/twostraws/SwiftGD.git Fetching https://github.com/IBM-Swift/Kitura-net.git Fetching https://github.com/IBM-Swift/SwiftyJSON.git Fetching https://github.com/IBM-Swift/Kitura-TemplateEngine.git Fetching https://github.com/IBM-Swift/LoggerAPI.git Fetching https://github.com/IBM-Swift/BlueSocket.git Fetching https://github.com/IBM-Swift/CCurl.git Fetching https://github.com/IBM-Swift/BlueSSLService.git

The swift-build process then begins to consume memory and CPU usage

Description

Currently, BlueSSLService doesn't add support for openssl 1.1.X. This PR aims to add support for both openssl versions 1.0.X and 1.1.X

Resolves : https://github.com/IBM-Swift/Kitura/issues/1341

How Has This Been Tested?

Tested on both Ubuntu 16.04 and 18.04 with openssl 1.0.x and 1.1.x

Checklist:

• [x] I have submitted a CLA form
• [x] If applicable, I have added tests to cover my changes.

I actually use the LocalSocketBlue, but I wanted to use this library. After integrating, connecting to the server and sending data was seriously slowed down. How can I solve this?

I am using SSLService like so:

let listeningSocket = try Socket.create(family: .inet)
let configuration = ...
let sslService = try SSLService(usingConfiguration: configuration)
sslService?.skipVerification = true
sslService?.verifyCallback = { service in
    return (false, "invalid client cert")
}
listeningSocket.delegate = sslService
let newConnectionSocket = try socketConnection.acceptClientConnection()

Debugging led me to notice that neither skipVerification nor verifyCallback is being copied onto the new socket created by the last line.

This diff seems to fix it. I can open a PR but first wanted to make sure that a) I am not missing something and b) this won't have any unintended side effects.

diff --git a/Sources/SSLService/SSLService.swift b/Sources/SSLService/SSLService.swift
index f64f6fe..644a7ae 100644
--- a/Sources/SSLService/SSLService.swift
+++ b/Sources/SSLService/SSLService.swift
@@ -404,6 +404,8 @@ public class SSLService: SSLServiceDelegate {
        private init?(with source: SSLService) throws {
                
                self.configuration = source.configuration
+               self.skipVerification = source.skipVerification
+               self.verifyCallback = source.verifyCallback
                
                // Validate the config...
                try self.validate(configuration: source.configuration)

Hi all. In my app, I integrate the BluseSocket library and with other ios apps, it works perfectly. Now we are trying to connect to the server from Web with WebSocket. I create a self-signed certificate with this instruction: https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=overview-generating-self-signed-certificate-using-openssl And now when I want to connect, I am getting an error

Error code: -9825(0x-2661), ERROR: SSLRead, code: -9825, reason: misc. bad certificate

The common name of the certificate is localhost. Anyone can help me?

Hi there

I'm trying to connect and create an ssl socket using the following code snippet:
let fileCertURL = Bundle.main.url(forResource:"cert", withExtension: "pem")?.path
let fileKeyURL = Bundle.main.url(forResource:"key", withExtension: "pem")?.path
let myConfig = SSLService.Configuration(withCACertificateFilePath: nil, usingCertificateFile: fileCertURL, withKeyFile: fileKeyURL, usingSelfSignedCerts: true, cipherSuite: nil)
var socket = try Socket.create()
socket.delegate = try SSLService(usingConfiguration: myConfig)
try socket.connect(to: "******", port: ****)

But I keep getting this error: ERROR: Socket error: PKCS12 file not specified.

I am running this code on my actual iPhone device (not macOS) and by the documentation it doesn't says that I need to add a .pkcs12 file anywhere

any help is appreciated

On iOS, when connected with TLS, if there is a read pending (i.e., it's waiting for data), and I attempt to write data to the socket, the socket will not actually writing anything until something is read. There are no errors when writing to the socket.

The code I'm using to connect:

let configuration = SSLService.Configuration() 
socket.delegate = try SSLService(usingConfiguration: configuration)
try socket.connect(to: "...", port: 1337)

Everything works fine if I don't connect with TLS. I tried other libraries and this doesn't occur, so it seems to be an issue with BlueSSLService (and not the server).

Hello, In our project we have a standard configuration like this: _configuration = SSLService.Configuration() _socket = try Socket.create(family: .inet6, type: .stream, proto: .tcp) _socket.delegate = try SSLService(usingConfiguration: _configuration)

and we have a problem that when the certificate on server expires our app still is sending messages. How can we check this or stop sending if we detect that certificate is corrupted?