(in objective-c, not swift), I have tried prepending the websocket options with nw_protocol_stack_prepend_application_protocol to my existing tls/tcp parameters but it is failing to upgrade the connection status and throwing an error. I cannot find any good examples or documentation on the Apple developer forums for this. Why do none of the functions have examples?
Post
Replies
Boosts
Views
Activity
nw_parameters_configure_protocol_block_t configure_tls = ^(nw_protocol_options_t tls_options) {
sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
NSData *data_psk = [@"abc" dataUsingEncoding:NSASCIIStringEncoding];
NSData *data_client_id = [@"test" dataUsingEncoding:NSASCIIStringEncoding];
dispatch_data_t psk = dispatch_data_create([data_psk bytes], [data_psk length], nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT);
dispatch_data_t client_id = dispatch_data_create([data_client_id bytes], [data_client_id length], nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT);
sec_protocol_options_append_tls_ciphersuite(sec_options, (SSLCipherSuite)TLS_PSK_WITH_AES_256_GCM_SHA384);
sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id);
sec_protocol_options_set_tls_pre_shared_key_identity_hint(sec_options, client_id);
nw_parameters_t parameters = nw_parameters_create_secure_tcp(configure_tls, NW_PARAMETERS_DEFAULT_CONFIGURATION);
nw_endpoint_t endpoint = nw_endpoint_create_host("127.0.0.1", "8888");
The code above can be used to establish a connection to an endpoint
using TLS-PSK but how do we specify the options that we wish to use a
WebSocket connection? if we specify ws options with nw_ws_create_options but there's no documentation to guide me where the nw_protocol_options_t should then be placed- also; after that is configured can we expect data to send and receive with the existing nw_connection_send and nw_connection_receive methods? If you could share some sample code on this implementation it would be very helpful.
In order to use TLS-PSK with an iOS device, it seems to require that we use ciphersuites with an ETM header enabled in the TLS handshake- I'm only able to connect to an OpenSSL server when this is enabled.
How can I set this header in the network framework? It can be included by adding {0x00,0x16,0x00,0x00} in the extensions hex dump, is there a dirty way to include this if there's no API implementation?
dispatch_data_t psk = dispatch_data_create("test", sizeof("test"), nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT);
dispatch_data_t client_id = dispatch_data_create("test", 4, nil, DISPATCH_DATA_DESTRUCTOR_DEFAULT);
sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id);
Am I doing something wrong? the PSK identity is passed because I can see that in the packets in wireshark, is the PSK expecting a hex value or an ASCII value? both seem to fail for me when running:
openssl3 s_server -tls1_2 -accept 8888 -4 -nocert -psk 74657374 -psk_identity=test -no_etm -no_dhe -serverpref -bugs -cipher PSK-AES256-GCM-SHA384 -state -msg -debug (not that 74657374 is the hex equivilant of 'test' as OpenSSL requires the PSK in hex)
sec_protocol_options_set_tls_ocsp_enabled(sec_options, false);
sec_protocol_options_set_tls_sct_enabled(sec_options, false);
sec_protocol_options_set_peer_authentication_required(sec_options, true);
sec_protocol_options_set_tls_renegotiation_enabled(sec_options, true);
sec_protocol_options_set_tls_tickets_enabled(sec_options, true);
sec_protocol_options_set_tls_resumption_enabled(sec_options, true);
sec_protocol_options_add_pre_shared_key(sec_options, psk, client_id);
This is all we have to work with when using the network framework but there's no way to specify i.e. encrypt-then-mac extensions if we are using CBC ciphersuites, there's very little control considering how messy TLS security can get- surely even the option of setting the raw hex of the TLS extensions appended to what is included above is desirable.