0

I have been trying to use SWIFT-NIO-SSL, to connect to server using the CA certificate and Server certificate.

After numeral attempts, and trying out different approaches, I could not get a solution. Is there any tutorial or any help in connecting to TLS using ca certificate with swift-nio-ssl would be helpful.

BlackPearl12
  • 306
  • 5
  • 20

1 Answers1

1

I'm not 100% sure if that's what you're asking but are you trying to connect to a server using a custom CA, you probably want the following TLSConfiguraion:

var tlsConfiguration = TLSConfiguration.forClient()
tlsConfiguration.trustRoots = .file("/tmp/the-ca.pem") // the CA

If you want to verify the certificate chain the the server provides, you should use NIOSSLClientHandler(context:serverHostname:customVerificationCallback:) when creating the NIOSSLClientHandler that you put in your pipeline. The last argument is a NIOSSLCustomVerificationCallbackack which allows completely overriding the certificate verification logic of BoringSSL, it gets presented the whole certificate chain the remote peer provided.

(Just in case you don't use NIO directly but through another library such as Vapor or AsyncHTTPClient, the above doesn't necessarily make any sense because you don't add the NIOSSLClientHandler yourself.)

At this point, just using a TLSConfiguration does not allow you to implement certificate pinning. You could in theory implement it using the NIOSSLCustomVerificationCallbackack but in practise this may be hard depending on how exactly you're planning to pin.

If you provide some more detail what exactly you want to achieve, I'm happy to expand a bit on this.

Johannes Weiss
  • 52,533
  • 16
  • 102
  • 136
  • Thanks. I have server based on GRPC module which I need to connect with bootstrapping trust, to call micro-services in swift. I am able to use the GRPC part successfully. My current problem scenario is: CA certificate, server certificate, private key, where I need to connect server "xyz.com" from iOS using TLS to establish connection. I cannot seem to use all the certificates to establish connection to server using swift NIO SSl. Any sample code demonstrating would be helpful. Thanks in Advance – BlackPearl12 Apr 05 '20 at 21:13
  • @BlackPearl12 hmm, that sounds more like you're trying to get TLS mutual authentication working. That's definitely supported today, here, I helped someone achieve the same with AsyncHTTPClient: https://github.com/swift-server/async-http-client/issues/27#issuecomment-489760481 . Is that what you're looking to do? – Johannes Weiss Apr 06 '20 at 13:42
  • Thanks. I did some research and above comments from you definitely helped me to come to a solution. – BlackPearl12 Apr 15 '20 at 17:28
  • I wrote an article on gRPC integration with iOS swift for ssl pinning using ca certificate. This might others who are stuck at this issue: https://medium.com/@ambrose12silveira/ios-swift-grpc-integration-with-tls-client-authentication-f2e2164ed125 – BlackPearl12 Sep 02 '20 at 08:28