NSURLConnection should offer ability to fine-tune SSL/TLS settings
| Originator: | marco.piovanelli | ||
| Number: | rdar://21103000 | Date Originated: | 2015-05-26 |
| Status: | Resolved: | ||
| Product: | iOS | Product Version: | 8.3 |
| Classification: | Enhancement | Reproducible: | n/a |
For both security and interoperability reasons, I'd like to have some control on the SSL/TLS handshake process when connecting to select hosts over https. In particular, I'd like to: 1. Prohibit use of older protocol versions (say, any version prior to TLS v1.2); 2. Prohibit use of weak ciphersuites like those marked "EXPORT" or using the venerable but vulnerable RC4 stream cipher; 3. Control the priority (order) of enabled ciphersuites; 4. (For debugging purposes) Figure out which ciphersuite was selected at the end of the negotiation; I think I can do all of the above if I use CFNetwork in conjunction with Secure Transport, but not if I use a high-level API like NSURLConnection. Which is a pity, because NSURLConnection gives me so much more than CFNetwork, for free. STEPS TO REPRODUCE: Create a NSURLConnection object from an NSURLRequest for https://www.howsmyssl.com/a/check; observe the returned JSON; notice how some of the ciphersuites offered for negotiation are weak and the client is given a "Bad" rating.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!