1 Reply
      Latest reply: Feb 13, 2017 2:33 PM by eskimo RSS
      JimMatthews Level 1 Level 1 (0 points)

        I currently close CFNetwork TLS connections (implemented with CFSocketCreateWithNative, CFStreamCreatePairWithSocket and CFWriteStreamSetProperty(kCFStreamPropertySSLSettings)) by calling CFWriteStreamClose() followed by shutdown() on the underlying socket. The server is complaining that the SSL session has not been closed correctly, i.e. that it has not received a TLS close_notify message. And indeed, when I look at the traffic in WireShark I don't see such a packet. Similarly, when I look at the traffic from the TLSTool sample app, it appears to send a FIN without first sending a TLS close_notify.

         

        Is there a way to tell CFNetwork to send TLS close_notify?

        • Re: Is there a way to tell CFNetwork to send TLS close_notify?
          eskimo Apple Staff Apple Staff (6,765 points)

          This is tricky.  You can do the opposite of this (starting a TLS session on a connected socket stream, that is, a STARTTLS) by setting kCFStreamPropertySSLSettings after the open, but you can’t undo this in a similar way (like setting that property to nil).

          In theory you should be able to do this with NSURLSessionStreamTask by calling the -stopSecureConnection.  However, I don’t think that’s implemented properly (r. 30498346).

          Weirdly, CFSocketStream seems to have all the infrastructure to make this work, it just doesn’t kick in, and it’s hard to see why not (for an example of the weirdness, CFSocketStream does not call SSLClose when you close the stream, but if you release all of your references to the stream, including those held by the run loop, it does!).  If you’d like me to dig into this further, you should open a DTS tech support incident so I can look at it during work hours (-:

          You might be able to make this work with something ‘clever’, like:

          1. Get and retain the SSLContext via the kCFStreamPropertySSLContext property

          2. Disconnect the socket stream pair from the underlying BSD Socket, as you’re already doing

          3. Set up new I/O functions on the SSLContextRef

          4. Close TLS the connection by calling SSLClose

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"