C# Asynchronous Tcp Server with SSL. How can I get mutual authentication with iOS NSStream?

Question

This is my first post at stackoverflow.com, so if i do something wrong just let me know. So onto the problem.

I have a C# server currently running System.Net.Socket Sockets similar to the sample code Microsoft provided here.

I also have an Objective-C iPad client running NSInputStream/NSOutputStream bound to CFReadStream/CFWriteStream.

At present with only username/password authentication sent via an XML Serialized Object the client and server can communicate without any issues.

The problem I now have is that the communication has to be secure, and talking to clients, SSL encryption would be acceptable. However, I don't think they would accept just the "Server Certificate" as good enough. So I am trying to get the iPad client to use a "Client Certificate". I would like to enable true mutual authentication.

If I can't achieve mutual authentication, a third party VPN Software could be the better solution to secure the communication.

I haven't completed the conversion yet, but I have found a few articles that give me good examples of this, but there are no examples that fit my situation for client side certificates on the iPad. The samples that i have found are:

C# SSL Tcp Server

Apple Developer site that shows how to use SSL, but no client certificate

iPad SSL Stream without client certificate.

iPad SSL Stream without client certificate

iPad HTTP Client that uses client certificate

Basically the system must eventually run TCP communication with SSL embedded with the ability to manage certificates. Not sure if it makes a difference, but as this would be going to many different clients, it is preferable to be compatible with SSL 3.0 and TLS(any version).

As I have only been dabbling in Objective-C for the past 6 months and am more familiar with C#, I will probably need you to explain your answer in simpler terms.

Edit:
I am more concerned with the Objective-C side of the equation, as I am fairly sure the C# side will be simple. Basically I need someone to explain how to implement client side certificates on a TCP NSStream in Objective-C or point me in the direction of possible solutions or approaches to the problem.

Any help will be greatly appreciated.

Chris

Answer 1

I cannot answer your question with regards to how to implement this on the objective-c side as what you ask is beyond what a single application can achieve on IOS devices. Thinking outside the box..

From Apple:

iOS supports the Simple Certificate Enrollment Protocol (SCEP). SCEP is an Internet draft in the IETF, and is designed to provide a simplified way of handling certificate distribution for large-scale deployments. This enables over-the-air enrollment of identity certificates to iPhone and iPad that can be used for authentication to corporate services.

Knowing this and searching for SCEP in the developer library points me to this page - https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html

This page will be of interest, notice that Microsoft Server supports this:- https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1 and it even has some sample client/server code.

My interest is generally in the field of Mobile-Device-Management and have been looking into this.

Hope this helps.