Re: TLS protocol levels, POODLE, and TN2287
Re: TLS protocol levels, POODLE, and TN2287
- Subject: Re: TLS protocol levels, POODLE, and TN2287
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Thu, 16 Oct 2014 10:31:56 +0100
On 15 Oct 2014, at 21:50, Jens Alfke <email@hidden> wrote:
> As I update this code I'm wondering whether this is still a problem for any significant number of servers, or whether they've all been fixed in the three years since the technote was written?
No, these servers are not all fixed. I still deal with crazy-arsed TLS compatibility issues on a regular basis.
> If we still need to follow the workaround, it looks like the CFStream API doesn't allow setting a separate min/max protocol level [...]
The trick here is to get the Secure Transport context from the stream and use it to configure the max and min TLS versions. The TLSTool sample code shows the first part of this. Look for kCFStreamPropertySSLContext.
<https://developer.apple.com/library/mac/samplecode/SC1236/>
The second part is just a matter of calling SSLSetProtocolVersionMin and SSLSetProtocolVersionMax. And at this level the required constants /are/ public API (-:
btw I've done this successfully on socket streams. HTTP streams should work the same way, but I haven't personally tested it.
I've filed a bug to remind myself to update <rdar://problem/18676724> to include this info. I don't know when I'll get around to it though.
I've also filed a bug to get TN2287 updated to mention NSURLSession's TLS version support <rdar://problem/18676754>.
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden