Thanks Quinn. FB13755719 filed.
Any updates on this? I have a macOS app that creates a network listener and I need to limit what ciphers are available due to security requirements. It is easy enough to limit the version of TLS, but removing a default cipher doesn't seem to currently be an option.
I want to remove TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 from TLS1v.2 and TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 from TLS 1.3.
I can see what ciphers are available using nmap:
nmap -Pn --script ssl-enum-ciphers -p 4116 sra.local
4116/tcp open smartcard-tls
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| cipher preference: client
|_ least strength: C
and I set up the listener this way:
nw_parameters_configure_protocol_block_t configure_tls = NW_PARAMETERS_DISABLE_PROTOCOL;
configure_tls = ^(nw_protocol_options_t tls_options) {
sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
sec_identity_t sec_identity=sec_identity_create(identity);
sec_protocol_options_set_local_identity(sec_options, sec_identity);
sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12);
sec_options=nil;
};
nw_parameters_configure_protocol_block_t configure_tcp;
configure_tcp = ^(nw_protocol_options_t tcp_options) {
nw_tcp_options_set_enable_keepalive(tcp_options,true);
nw_tcp_options_set_keepalive_count(tcp_options, 15);
nw_tcp_options_set_keepalive_interval(tcp_options, 15);
nw_tcp_options_set_keepalive_idle_time(tcp_options, 15);
};
parameters = nw_parameters_create_secure_tcp(configure_tls,
configure_tcp);
// Bind to local address and port
const char *address = name; // Treat name as local address if not bonjour
if (localOnly) address="127.0.0.1";
if (address || port) {
nw_endpoint_t local_endpoint = nw_endpoint_create_host(address?address:"::",port?port:"0" );
nw_parameters_set_local_endpoint(parameters, local_endpoint);
local_endpoint=nil;
}
nw_listener_t listener = nw_listener_create(parameters);
Any guidance would be most appreciated!
Post not yet marked as solved
I forgot to mention that this is not a sandboxed app, but is hardened (both main and helper app).