User Profile

Thanks Quinn. FB13755719 filed.

Any updates on this? I have a macOS app that creates a network listener and I need to limit what ciphers are available due to security requirements. It is easy enough to limit the version of TLS, but removing a default cipher doesn't seem to currently be an option. I want to remove TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 from TLS1v.2 and TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 from TLS 1.3. I can see what ciphers are available using nmap: nmap -Pn --script ssl-enum-ciphers -p 4116 sra.local 4116/tcp open smartcard-tls | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | cipher preference: client |_ least strength: C and I set up the listener this way: nw_parameters_configure_protocol_block_t configure_tls = NW_PARAMETERS_DISABLE_PROTOCOL; configure_tls = ^(nw_protocol_options_t tls_options) { sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); sec_identity_t sec_identity=sec_identity_create(identity); sec_protocol_options_set_local_identity(sec_options, sec_identity); sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12); sec_options=nil; }; nw_parameters_configure_protocol_block_t configure_tcp; configure_tcp = ^(nw_protocol_options_t tcp_options) { nw_tcp_options_set_enable_keepalive(tcp_options,true); nw_tcp_options_set_keepalive_count(tcp_options, 15); nw_tcp_options_set_keepalive_interval(tcp_options, 15); nw_tcp_options_set_keepalive_idle_time(tcp_options, 15); }; parameters = nw_parameters_create_secure_tcp(configure_tls, configure_tcp); // Bind to local address and port const char *address = name; // Treat name as local address if not bonjour if (localOnly) address="127.0.0.1"; if (address || port) { nw_endpoint_t local_endpoint = nw_endpoint_create_host(address?address:"::",port?port:"0" ); nw_parameters_set_local_endpoint(parameters, local_endpoint); local_endpoint=nil; } nw_listener_t listener = nw_listener_create(parameters); Any guidance would be most appreciated!