Post

Replies

Boosts

Views

Activity

How do we create a TLS websocket with Network framework?
nw_parameters_configure_protocol_block_t configure_tls = ^(nw_protocol_options_t tls_options) { sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); NSData *data_psk = [@"abc" dataUsingEncoding:NSASCIIStringEncoding]; NSData *data_client_id = [@"test" dataUsingEncoding:NSASCIIStringEncoding]; dispatch_data_t psk = dispatch_data_create([data_psk bytes], [data_psk length], nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT); dispatch_data_t client_id = dispatch_data_create([data_client_id bytes], [data_client_id length], nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT); sec_protocol_options_append_tls_ciphersuite(sec_options, (SSLCipherSuite)TLS_PSK_WITH_AES_256_GCM_SHA384); sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id); sec_protocol_options_set_tls_pre_shared_key_identity_hint(sec_options, client_id); nw_parameters_t parameters = nw_parameters_create_secure_tcp(configure_tls, NW_PARAMETERS_DEFAULT_CONFIGURATION); nw_endpoint_t endpoint = nw_endpoint_create_host("127.0.0.1", "8888"); The code above can be used to establish a connection to an endpoint using TLS-PSK but how do we specify the options that we wish to use a WebSocket connection? if we specify ws options with nw_ws_create_options but there's no documentation to guide me where the nw_protocol_options_t should then be placed- also; after that is configured can we expect data to send and receive with the existing nw_connection_send and nw_connection_receive methods? If you could share some sample code on this implementation it would be very helpful.
2
0
865
Oct ’21
TLS-PSK isn't working with sec_protocol_options_add_pre_shared_key in iOS 13
dispatch_data_t psk = dispatch_data_create("test", sizeof("test"), nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT); dispatch_data_t client_id = dispatch_data_create("test", 4, nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT); sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id); Am I doing something wrong? the PSK identity is passed because I can see that in the packets in wireshark, is the PSK expecting a hex value or an ASCII value? both seem to fail for me when running: openssl3 s_server -tls1_2 -accept 8888 -4 -nocert -psk 74657374 -psk_identity=test -no_etm -no_dhe -serverpref -bugs -cipher PSK-AES256-GCM-SHA384 -state -msg -debug (not that 74657374 is the hex equivilant of 'test' as OpenSSL requires the PSK in hex)
1
0
664
Oct ’21
How do we set specific extensions for TLS options?
sec_protocol_options_set_tls_ocsp_enabled(sec_options, false); sec_protocol_options_set_tls_sct_enabled(sec_options, false); sec_protocol_options_set_peer_authentication_required(sec_options, true); sec_protocol_options_set_tls_renegotiation_enabled(sec_options, true); sec_protocol_options_set_tls_tickets_enabled(sec_options, true); sec_protocol_options_set_tls_resumption_enabled(sec_options, true); sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id); This is all we have to work with when using the network framework but there's no way to specify i.e. encrypt-then-mac extensions if we are using CBC ciphersuites, there's very little control considering how messy TLS security can get- surely even the option of setting the raw hex of the TLS extensions appended to what is included above is desirable.
1
0
607
Oct ’21
Unable to set 'encrypt-then-mac' headers in TLS using network.framework
In order to use TLS-PSK with an iOS device, it seems to require that we use ciphersuites with an ETM header enabled in the TLS handshake- I'm only able to connect to an OpenSSL server when this is enabled. How can I set this header in the network framework? It can be included by adding {0x00,0x16,0x00,0x00} in the extensions hex dump, is there a dirty way to include this if there's no API implementation?
4
0
1.5k
Oct ’21