Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers

Question

I am trying to disable some ciphers (weak) such as single DES, single DES 40 bit etc.

I've tried using this bit of code from How does one set SSL ciphers when using CFSocket/CFStream in Cocoa? and from mailing list message CFNetwork SSL and long blocking delays but I need access to socket data to get the CFDataRef.

Here is the code that I tried to insert in the handshake method in AFURLConnectionOperation class:

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge (NSURLAuthenticationChallenge *)challenge{
    CFReadStreamRef stream = [sock getCFReadStream];
    CFDataRef data = CFReadStreamCopyProperty(stream, kCFStreamPropertySocketSSLContext);

    // Extract the SSLContextRef from the CFData
    SSLContextRef sslContext;
    CFDataGetBytes(data, CFRangeMake(0, sizeof(SSLContextRef)), &sslContext);

    // Get all enabled ciphers
    size_t numCiphers;
    SSLGetNumberEnabledCiphers(sslContext,&numCiphers);
    SSLCipherSuite ciphers[numCiphers];
    SSLGetEnabledCiphers(sslContext,ciphers,&numCiphers);

    // Create a new cipher array with only non-DH ciphers, and set it
    SSLCipherSuite finalCiphers[numCiphers];
    int numFinalCiphers = 0;
    for(int i=0; i<numCiphers; i++) {
        SSLCipherSuite suite = ciphers[i];
        if(!cipherSuiteUsesDH(suite)) {
            finalCiphers[numFinalCiphers] = suite;
            numFinalCiphers++;
        }
    }
    SSLSetEnabledCiphers(sslContext,finalCiphers,numFinalCiphers);
}

Any and all help would be appreciated.

EDIT: Unfortunately this is an existing project and it still uses version 1 of AFNetworking.

Answer 1

Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers

OK, this one piqued my interest because its something I do in other languages, but not Cocoa/CocoaTouch. Its been on my TODO list for some time. The answer is you can't do it when working with the high level objects like NSURLConnection.

I could not find a way to bridge the gap between NSURLConnection and friends and the low level stuff needed to set the cipher suits. If you are interested, the "highest" the low level stuff goes is CFSocketStream. So the job is to get NSURLConnection to work with a CFSocketStream (or access the CFSocketStream in the NSURLConnection).

I also mirrored your question on Apple's Network Programming mailing list, and both Jens and Quinn confirmed it (Quinn provided the info on CFSocketStream). See Configure socket used by NSURLConnection?.

Also, in case you did not realize it, attempting to modify the properties in -connection:didReceiveAuthenticationChallenge: is too late. By the time you get the authentication challenge, the handshake is already in progress (i.e., the ClientHello has already been sent).

If you do manage to find a hack to do it, then please post it.