8

I am trying to disable some ciphers (weak) such as single DES, single DES 40 bit etc.

I've tried using this bit of code from How does one set SSL ciphers when using CFSocket/CFStream in Cocoa? and from mailing list message CFNetwork SSL and long blocking delays but I need access to socket data to get the CFDataRef.

Here is the code that I tried to insert in the handshake method in AFURLConnectionOperation class:

- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge (NSURLAuthenticationChallenge *)challenge{
    CFReadStreamRef stream = [sock getCFReadStream];
    CFDataRef data = CFReadStreamCopyProperty(stream, kCFStreamPropertySocketSSLContext);

    // Extract the SSLContextRef from the CFData
    SSLContextRef sslContext;
    CFDataGetBytes(data, CFRangeMake(0, sizeof(SSLContextRef)), &sslContext);

    // Get all enabled ciphers
    size_t numCiphers;
    SSLGetNumberEnabledCiphers(sslContext,&numCiphers);
    SSLCipherSuite ciphers[numCiphers];
    SSLGetEnabledCiphers(sslContext,ciphers,&numCiphers);

    // Create a new cipher array with only non-DH ciphers, and set it
    SSLCipherSuite finalCiphers[numCiphers];
    int numFinalCiphers = 0;
    for(int i=0; i<numCiphers; i++) {
        SSLCipherSuite suite = ciphers[i];
        if(!cipherSuiteUsesDH(suite)) {
            finalCiphers[numFinalCiphers] = suite;
            numFinalCiphers++;
        }
    }
    SSLSetEnabledCiphers(sslContext,finalCiphers,numFinalCiphers);
}

Any and all help would be appreciated.

EDIT: Unfortunately this is an existing project and it still uses version 1 of AFNetworking.

Community
  • 1
  • 1
ManicMonkOnMac
  • 1,476
  • 13
  • 21
  • Also see [Securing iOS Applications](http://jan0.free.fr/208_securing_ios_applications.pdf). It looks like an interesting talk. – jww Jul 29 '14 at 19:06
  • Hi, thanks for the response, I figured as much that they are different levels of Api and there hoped that there might be a bridge somewhere. I already went through the video, i am hoping to find the sample code though. Is there any other way to disable ciphers? – ManicMonkOnMac Jul 29 '14 at 19:36
  • 1
    I am trying to do the same thing. So far I have found a way to do that https://twitter.com/abelenko/status/437266477436002304 https://gist.github.com/belenko/d9c29ffbf2dca8a3dd0c but this is use of private APIs and as it is said in comments to twitt it leads to rejection of the app in App Store. – user1264176 Jul 30 '14 at 07:35

1 Answers1

3

Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers

OK, this one piqued my interest because its something I do in other languages, but not Cocoa/CocoaTouch. Its been on my TODO list for some time. The answer is you can't do it when working with the high level objects like NSURLConnection.

I could not find a way to bridge the gap between NSURLConnection and friends and the low level stuff needed to set the cipher suits. If you are interested, the "highest" the low level stuff goes is CFSocketStream. So the job is to get NSURLConnection to work with a CFSocketStream (or access the CFSocketStream in the NSURLConnection).

I also mirrored your question on Apple's Network Programming mailing list, and both Jens and Quinn confirmed it (Quinn provided the info on CFSocketStream). See Configure socket used by NSURLConnection?.

Also, in case you did not realize it, attempting to modify the properties in -connection:didReceiveAuthenticationChallenge: is too late. By the time you get the authentication challenge, the handshake is already in progress (i.e., the ClientHello has already been sent).

If you do manage to find a hack to do it, then please post it.

jww
  • 97,681
  • 90
  • 411
  • 885
  • 2
    I have found a hack on the internet to accomplish that. Please see my comment to the OP's question. I have also read your question in mailing list. This is very unfortunate that there is no API to instruct NSURLConnection to use specific cipher suites or at least minimum SSL/TLS protocol version if we don't have access to underlying sockets. :( – user1264176 Jul 30 '14 at 07:44