On a related note, I am looking to return the certificate chain of trust. I posted that here: https://forums.developer.apple.com/forums/thread/758154

It worked. In nw_connection_set_state_changed_handler, i did this: if (state == nw_connection_state_ready) { fprintf(stderr, "Connection to %s port %u (%s) succeeded!\n", nw_endpoint_get_hostname(remote), nw_endpoint_get_port(remote), "tcp"); nw_protocol_definition_t definition=nw_protocol_copy_tls_definition(); if (definition==0){ tcslogdebug(@"nw_protocol_copy_tls_definition failed. Dropping."); [self disconnect]; return; } nw_protocol_metadata_t metadata = nw_connection_copy_protocol_metadata(connection, definition); if (metadata==0){ tcslogdebug(@"nw_connection_copy_protocol_metadata failed. Dropping."); [self disconnect]; return; } sec_protocol_metadata_t sec_metadata = nw_tls_copy_sec_protocol_metadata(metadata); if (sec_metadata == 0){ tcslogdebug(@"nw_tls_copy_sec_protocol_metadata failed. Dropping."); [self disconnect]; return; } tls_ciphersuite_t ciphersuite = sec_protocol_metadata_get_negotiated_tls_ciphersuite(sec_metadata); tcslogdebug(@"ciphersuite: 0x%x",ciphersuite); if (ciphersuite==0 || ciphersuite == 0xFFFF){ tcslogdebug(@"sec_protocol_metadata_get_negotiated_tls_ciphersuite failed. Dropping."); [self disconnect]; return; } switch (ciphersuite) { case tls_ciphersuite_RSA_WITH_3DES_EDE_CBC_SHA: case tls_ciphersuite_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: case tls_ciphersuite_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: tcslogdebug(@"disallowed cipher suite. dropping"); [self disconnect]; return; break; default: break; }

Thanks Quinn. FB13755719 filed.

Any updates on this? I have a macOS app that creates a network listener and I need to limit what ciphers are available due to security requirements. It is easy enough to limit the version of TLS, but removing a default cipher doesn't seem to currently be an option. I want to remove TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 from TLS1v.2 and TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 from TLS 1.3. I can see what ciphers are available using nmap: nmap -Pn --script ssl-enum-ciphers -p 4116 sra.local 4116/tcp open smartcard-tls | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | cipher preference: client |_ least strength: C and I set up the listener this way: nw_parameters_configure_protocol_block_t configure_tls = NW_PARAMETERS_DISABLE_PROTOCOL; configure_tls = ^(nw_protocol_options_t tls_options) { sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); sec_identity_t sec_identity=sec_identity_create(identity); sec_protocol_options_set_local_identity(sec_options, sec_identity); sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12); sec_options=nil; }; nw_parameters_configure_protocol_block_t configure_tcp; configure_tcp = ^(nw_protocol_options_t tcp_options) { nw_tcp_options_set_enable_keepalive(tcp_options,true); nw_tcp_options_set_keepalive_count(tcp_options, 15); nw_tcp_options_set_keepalive_interval(tcp_options, 15); nw_tcp_options_set_keepalive_idle_time(tcp_options, 15); }; parameters = nw_parameters_create_secure_tcp(configure_tls, configure_tcp); // Bind to local address and port const char *address = name; // Treat name as local address if not bonjour if (localOnly) address="127.0.0.1"; if (address || port) { nw_endpoint_t local_endpoint = nw_endpoint_create_host(address?address:"::",port?port:"0" ); nw_parameters_set_local_endpoint(parameters, local_endpoint); local_endpoint=nil; } nw_listener_t listener = nw_listener_create(parameters); Any guidance would be most appreciated!