JonZu Groups

Chrome’s enabling the kSSLSessionOptionBreakOnServerAuthFlag option to SecureTransport. As expected, I see the status code errSSLServerAuthCompleted being returned from SSLHandshake after the server cert is sent; then we call SSLHandshake again and get noErr.

However, now I’m trying to connect to myopenid.com’s client-cert login and I’m seeing weird behavior. After the handshake completes with noErr, the first call to SSLRead returns errSSLServerAuthCompleted. The current code interprets that as an unknown fatal error, but even if I modify it to ignore it, the connection still aborts.

I think what’s happening is that the server wants to renegotiate (and ask for the client cert). But the OpenTransport docs don’t talk about renegotiation anywhere — they just say that after SSLHandshake returns noErr the connection is ready to use for sending and receiving data. Is that wrong? Am I expected to call SSLHandshake again if I get errSSLServerAuthCompleted back from SSLRead?

—Jens

PS: This is happening on 10.5.8. SSLSetSessionOption isn’t declared in the 10.5 SDK but we’re checking for the existence of the symbol dynamically.

Related posts:

1. What does it mean when SSLRead returns errSSLServerAuthCompleted?
2. NSDateFormatter returns nil
3. Why CGPathAddCurveToPoint returns to the origin?
4. kTISPropertyUnicodeKeyLayoutData Returns NULL
5. AuthorizationExecuteWithPrivileges returns -2129264641???
6. NSFullUserName() always returns the user name at app launch?
7. LSOpenFromURLSpec() returns -10825 on Tiger
8. Problem: -currentCommand returns nil during ‘open document’
9. NSAttributedString always returns NO for -isEqualToAttributedString with attachments present?
10. observeValueForKeyPath returns null in the change directory???

Tags: errSSLServerAuthCompleted, mean?, returns, SSLRead, When

This entry was posted on Monday, February 8th, 2010 at 10:21 pm and is filed under Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.