Posts

Post not yet marked as solved
6 Replies
2.7k Views
I'm investigating the new network framework for use in a server scenario. I can write a trivial server with no security that detects a tls/ssl clientHello and then report that security was needed. Likewise I can write the server code so that it is preconfigured with a certificate so as to use an appropriate level of security. However, I currently can't see how I'd go about configuring the security of the protocol with some sort of bypass/fallback so as to say: if no "clientHello" received then treat comms as *****/insecure and continue? (and yes, I'd later check the tls status of the connection to decide what is appropriate to do...)Am I missing something in the API, or are my requirements a bit of an outlier?
Posted Last updated
.
Post marked as solved
3 Replies
1.9k Views
I'm writing a toy http server using CFNetwork/CFStream/SecureTransport. It's been a fun exercise and http/https is all working fine.I've now moved on to adding http2, and thus I want to support ALPN so ciients can detect 'h2' support.When connecting to my server via safari I can see the ALPN data from safari on the wire, e.g. "\2h2\5h2-16\5h2-15\5h2-14\10spdy/3.1\6spdy/3\10http/1.1\0", and upon the first kCFStreamEventHasBytesAvailable I can dump the SSL/TLS info from the stream which correctly says the expected protocol and cipher.However, when I also add the following to investigate the ALPN data within SSLContextSSLContextRef secContext = (SSLContextRef)CFReadStreamCopyProperty(readStream, kCFStreamPropertySSLContext); CFArrayRef protocols = NULL; OSStatus err = SSLCopyALPNProtocols(secContext, &protocols)Then protocols remains NULL, and err is always errSecParam.Given I actually have TLS/SSL working, the failure of using the ALPN calls to do anything useful makes me wonder if ALPN is actually implemented in SecureTransport for server usage... or am I doing something wrong, or is this framework being deprecated and should I be using something else, i.e. the nw_* framework?The above represents testing, the true objective is to use SSLSetALPNProtocols() to set "h2" as a server protocol at the same point in my code where I add certficates and enable TLS/SSL, but this seems to have no effect...In other investigation I've tried adding SSLSetALPNProtocols() and SSLCopyALPNProtocols() into Apples own TLSTool code, again with no useful outcome.Tested on 10.14.4
Posted Last updated
.