Apple Secure Transport or OpenSSL : this is the problem

The secure communication of data over a network represents the main aspect for who cares about his data. In order to get this, you can use different security protocols such as your own security protocols or other security APIs. Usually we can consider different security levels of this APIs like low-level (BSD sockets and Common Crypto) or higher-level APIs when they are available.

“The Secure Sockets Layer (SSL) protocol and its successor, the Transport Layer Security (TLS) protocol, provide support for secure communication over a network. They are commonly used over TCP/IP connections such as the Internet. They use certificate-based authentication to ensure that you are communicating with a valid server, they validate data to prevent tampering, and they can use public-key cryptography to guard against eavesdropping or message forgery.” (Source: Apple Developer)

In order to take advantage of SSL and TLS, you can use Apple Secure Transport API in OS X or in iOS 5.0 and later (for maximum control) or otherwise many other open source tools like OpenSSL. So, which is the difference between this two APIs? Why you should change Apple Secure Transport API into OpenSSL? I decided to write this article since I got this problem during Piwik installation (an open-source analytics platform) since on mac it return some errors due to lack of compatibility with Apple Secure Transport.

Which kind of SSL you have? if you try to run thin on Terminal php -i | grep “SSL Version” you will get SSL Version => SecureTransport

Secure Transport

Apple Secure Transport is an API allowing you to use SSL and TLS. Secure Transport is used and compatible in both OS X and iOS 5.0 and later.

According to Apple developer website, the Secure Transport API lets you:

“Choose which protocols (SSL/TLS versions) and cipher suites should be allowed, and (after connecting) determine which protocol and cipher suite were actually negotiated.
Specify Diffie-Hellman parameters for key exchange
Specify whether client-side authentication should be required, and obtain that identification.
Manage certificates and trust policies—specify certificates to use for client or server identification, specify the domain name to use when determining whether the other host’s certificate is valid, provide trust policies for expired certificates and unknown or expired root certificates, add additional trusted root certificates, and so on.
Secure Transport uses certificate management and cryptography services provided by CDSA and Common Crypto. Secure Transport has no transport-layer dependencies; it can be used with BSD sockets, Open Transport, or any other transport-layer protocol available.”

 

OpenSSL

Even if macOS includes a low-level command-line interface to the OpenSSL, this is not available on iOS.

Although OpenSSL is the main toolkit widely used in the open source community, it “does not provide a stable API from version to version” according to Apple. For this reason, OpenSSL toolkit was deprecated in OS X and refused in iOS.

If you have compatibility problem and you need OpenSSL in order to make your software works, you need to compile it by yourself. It seems that it works on both iOS and OS X. In order to compile OpenSSL you can follow these simple step described in this article Roll your own PHP to support OpenSSL instead of Secure Transport by Michael Fraase.

admin

Leave a Reply

Your email address will not be published. Required fields are marked *