Hi, I am trying to setup TLS web socket but I am getting NO_SHARED_CIPHER during handshakes. normal WS server connects properly but I need to get it into WSS version. I believe I am missing some sorts of certificates (maybe like P12?) but I have never set up TLS before. How do I import certificates or which sec_protocol_options should I use?
my current TLS code is this
init(port: UInt16) {
//15881 ws 15882 wss
self.port = NWEndpoint.Port(rawValue: 15882)!
let workQueue = DispatchQueue(label: "mqtt")
parameters = NWParameters(tls: SwiftWebSocketServer.tlsOptions(psk: "1234", pskIdentity: "1234", queue: workQueue))
//parameters = NWParameters(tls: nil)
parameters.allowLocalEndpointReuse = true
parameters.includePeerToPeer = true
let wsOptions = NWProtocolWebSocket.Options()
wsOptions.autoReplyPing = true
parameters.defaultProtocolStack.applicationProtocols.insert(wsOptions, at: 0)
listener = try! NWListener(using: parameters, on: self.port)
}
private static func tlsOptions(psk: String, pskIdentity: String,queue: DispatchQueue) -> NWProtocolTLS.Options {
let tlsOptions = NWProtocolTLS.Options()
let allowInsecure = true
// let pskData = Data(psk.utf8)
let authenticationKey = SymmetricKey(data: psk.data(using: .utf8)!)
var authenticationCode = HMAC<SHA256>.authenticationCode(for: "1234".data(using: .utf8)!, using: authenticationKey)
let authenticationDispatchData = withUnsafeBytes(of: &authenticationCode) { (ptr: UnsafeRawBufferPointer) in
DispatchData(bytes: ptr)
}
let pskIdentityData = Data(pskIdentity.utf8)
let pskIdentityDispatchData = pskIdentityData.withUnsafeBytes { buf in
DispatchData(bytes: buf)
}
sec_protocol_options_set_min_tls_protocol_version(tlsOptions.securityProtocolOptions, .TLSv12)
sec_protocol_options_append_tls_ciphersuite(
tlsOptions.securityProtocolOptions,
tls_ciphersuite_t(rawValue: UInt16(TLS_PSK_WITH_AES_128_CBC_SHA256))!
)
sec_protocol_options_append_tls_ciphersuite(
tlsOptions.securityProtocolOptions,
tls_ciphersuite_t(rawValue: UInt16(TLS_PSK_WITH_AES_128_GCM_SHA256))!
)
sec_protocol_options_append_tls_ciphersuite(
tlsOptions.securityProtocolOptions,
tls_ciphersuite_t(rawValue: UInt16(TLS_PSK_WITH_AES_256_CBC_SHA384))!
)
sec_protocol_options_append_tls_ciphersuite(
tlsOptions.securityProtocolOptions,
tls_ciphersuite_t(rawValue: UInt16(TLS_PSK_WITH_AES_256_GCM_SHA384))!
)
sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
var error: CFError?
if SecTrustEvaluateWithError(trust, &error) {
sec_protocol_verify_complete(true)
} else {
if allowInsecure == true {
sec_protocol_verify_complete(true)
} else {
sec_protocol_verify_complete(false)
}
}
}, queue)
sec_protocol_options_set_peer_authentication_required(tlsOptions.securityProtocolOptions, false)
sec_protocol_options_add_pre_shared_key(
tlsOptions.securityProtocolOptions,
authenticationDispatchData as __DispatchData,
pskIdentityDispatchData as __DispatchData
)
return tlsOptions
}
``