Thanks for the link to that Technote. I'll take a proper look at that later today.
I'm not familiar with CFSocketStream so this might be a stupid question, but does it have HTTP/2 support as with NSURLSession?
And the reason that I'd like to be able to specify the cipher suites is that even when I try and restrict the available cipher suites on the server's side, it seems that because the macOS client is still signalling that it's happy with cipher suites that use forward secrecy, then it's a cipher suite that uses forward secrecy that ends up being used.
I've got a barebones http/2 server here (written with Go) that I've been testing with: https://github.com/hamchapman/http2-barebones-server
I tried adding this code to restrict the cipher suites on the server but it still ended up using one with forward secrecy:
package http2test
import (
"crypto/tls"
"net/http"
"github.com/zimbatm/httputil2"
)
type Server struct {
Muxer
*httputil2.MiddlewareList
*http.Server
}
func NewServer() *Server {
mux := newServeMux()
ml := &httputil2.MiddlewareList{}
ml.Handler = mux
ml.Use(
httputil2.CleanPathMiddleware(),
httputil2.GzipMiddleware(-1),
httputil2.RecoveryMiddleware(httputil2.DefaultCallback),
)
server := &http.Server{}
server.TLSConfig = new(tls.Config)
server.TLSConfig.InsecureSkipVerify = true
server.TLSConfig.CipherSuites = []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
}
return &Server{mux, ml, server}
}
func (s *Server) ListenAndServeTLS(certFile string, keyFile string) error {
s.Server.Handler = s.Chain()
return s.Server.ListenAndServeTLS(certFile, keyFile)
}