Archived

This forum has been archived. Please start a new discussion on GitHub.

SSLPlugin malfuncts on macOS Sierra

Recently our project wants to use ICE on MacOS application. It uses SSL for security and it run well on macOS 10.11. But after update my mac to 10.12 Sierra, I got the following error:

2017-01-04 10:23:27.048756 YQB_Mac[2675:495987] SecureTransportTransceiverI.cpp:284: ::Ice::ProtocolException:
protocol exception:
IceSSL: ssl error occurred for new outgoing connection:
local address = 192.168.1.190:55989
remote address = 101.201.178.140:6003
(error: -9810 description: Internal error)

This error occurs for both C++ and Objective-C on both version of 3.6.3 and 3.7a3 and repeatable. So I suspect this is a platform-dependent issue and would you please have a look? Please let me know if you need more details.

Thanks in advance
Daniel

Tagged:

Comments

  • More clues, when I use TCP instead of SSL, our application could communicate with server normally.

  • benoit
    benoit Rennes, France

    Hi Daniel,

    It definitely looks like an SSL platform-dependent issue. Are both the server and client running on macOS Sierra?

    Can you reproduce this same issue with our Ice/hello demo? What kind of certificates do you use?

    If you can provide us a small test case that reproduces the problem, we'd be happy to look into it.

    Cheers,
    Benoit.

  • Hi Benoit,

    Thanks for your quick follow-up. Our server side is implemented in pure java while client side implementation varies according to platforms including iOS/Android/Windows/Mac/Web. For Mac, it's in Objective-C/C++ as mentioned before. The issue only occurs on macOS Sierra.

    As you suggested, I tried the hello example with some modifications and the issue is reproduced. I build server and client both in C++ and run on the same Mac running Sierra. The modifications are as follows:

    • In config.client & config.server, comment out:
      IceSSL.Keychain=client.keychain
      IceSSL.KeychainPassword=password
    • In config.client, add host name to endpoint specification:
      Hello.Proxy=hello:tcp -p 10000:udp -p 10000:ssl -p 10001 -h api.yintongzhibo.com
    • In /etc/hosts, add:
      127.0.0.1 api.yintongzhibo.com
    • Use our own certificate which was created by makecerts.py with default params in ice-demos except that the domain api.yintongzhibo.com was bound.

    The result is:

    ==> S 
    secure mode is now on
    ==> t
    SecureTransportTransceiverI.cpp:256: Ice::ProtocolException:
    protocol exception:
    IceSSL: ssl error occurred for new outgoing connection:
    remote address = 127.0.0.1:10001
    (error: -9810 description: Internal error)
    

    After I decomment out Keychain & KeychainPassword, everything goes well. So the question becomes why Keychain & KeychainPassword is a must on Sierra?

    Thanks again.
    Daniel

  • benoit
    benoit Rennes, France

    Hi,

    I'm not able to reproduce the problem. Can you post your configuration files along with the certificates?

    Cheers,
    Benoit.

  • Hi Benoit,

    See attachment. According to the documentation, if keychain stuff is missing, default login keychain will be used. So would it be possible that some security configuration impacts the result?

    Thanks
    Daniel

  • benoit
    benoit Rennes, France

    Hi,

    The configuration files are the original ones, could you please also send your modified configuration files? I'm still unable to reproduce the problem with your certificates and your instructions. The connection establishment works for me.

    The default keychain is indeed used when the keychain properties are not set.

    Cheers,
    Benoit.

  • Hi, Benoit,

    Just comment out the following from config.client & config.server and then you would see the errors.
    IceSSL.Keychain=client.keychain
    IceSSL.KeychainPassword=password

    Cheers
    Daniel

  • benoit
    benoit Rennes, France

    Hi,

    I did comment them out, find attached the configuration files I used to run the hello demo. I'm not seeing the error you're seing. I'm using macOS Sierra 10.2.2.

    Cheers,
    Benoit.

  • Hi, Benoit,

    I would assume your OS is Sierra 10.12.2 rather than 10.2.2, which is same OS version as mine. So I am suspecting some security limitation to the login keychain might lead to the issue. Any suggestions?

    Thanks.
    Daniel

  • benoit
    benoit Rennes, France

    Hi Daniel,

    Yes, sorry, it's 10.12.2. I also tried with a regular user account and I don't get the problem. Did you try with another user account? an admin account? or another macOS machine?

    Cheers,
    Benoit.