I am trying to disable some ciphers (weak) such as single DES, single DES 40 bit etc.
I've tried using this bit of code from How does one set SSL ciphers when using CFSocket/CFStream in Cocoa? and from mailing list message CFNetwork SSL and long blocking delays but I need access to socket data to get the CFDataRef
.
Here is the code that I tried to insert in the handshake method in AFURLConnectionOperation
class:
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge (NSURLAuthenticationChallenge *)challenge{
CFReadStreamRef stream = [sock getCFReadStream];
CFDataRef data = CFReadStreamCopyProperty(stream, kCFStreamPropertySocketSSLContext);
// Extract the SSLContextRef from the CFData
SSLContextRef sslContext;
CFDataGetBytes(data, CFRangeMake(0, sizeof(SSLContextRef)), &sslContext);
// Get all enabled ciphers
size_t numCiphers;
SSLGetNumberEnabledCiphers(sslContext,&numCiphers);
SSLCipherSuite ciphers[numCiphers];
SSLGetEnabledCiphers(sslContext,ciphers,&numCiphers);
// Create a new cipher array with only non-DH ciphers, and set it
SSLCipherSuite finalCiphers[numCiphers];
int numFinalCiphers = 0;
for(int i=0; i<numCiphers; i++) {
SSLCipherSuite suite = ciphers[i];
if(!cipherSuiteUsesDH(suite)) {
finalCiphers[numFinalCiphers] = suite;
numFinalCiphers++;
}
}
SSLSetEnabledCiphers(sslContext,finalCiphers,numFinalCiphers);
}
Any and all help would be appreciated.
EDIT: Unfortunately this is an existing project and it still uses version 1 of AFNetworking.
Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers
OK, this one piqued my interest because its something I do in other languages, but not Cocoa/CocoaTouch. Its been on my TODO list for some time. The answer is you can't do it when working with the high level objects like NSURLConnection
.
I could not find a way to bridge the gap between NSURLConnection
and friends and the low level stuff needed to set the cipher suits. If you are interested, the "highest" the low level stuff goes is CFSocketStream
. So the job is to get NSURLConnection
to work with a CFSocketStream
(or access the CFSocketStream
in the NSURLConnection
).
I also mirrored your question on Apple's Network Programming mailing list, and both Jens and Quinn confirmed it (Quinn provided the info on CFSocketStream
). See Configure socket used by NSURLConnection?.
Also, in case you did not realize it, attempting to modify the properties in -connection:didReceiveAuthenticationChallenge:
is too late. By the time you get the authentication challenge, the handshake is already in progress (i.e., the ClientHello
has already been sent).
If you do manage to find a hack to do it, then please post it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With