Posts

Post marked as solved
2 Replies
909 Views
Hi, I'm working on a Network.framework protocol using the C interface, for a wire protocol which starts plaintext then negotiates to a TLS connection, but I'm having problems specifying the minimum TLS version (on both Big Sur 11.2.3 and Monterey 12.1). Thanks to some very handy answers (in particular, here and here, as well as the WWDC 2019 session 712), I've managed to get the plaintext portion working well. However, when I try to prepend a TLS connection to the framer, I seem to lose the ability to adjust the minimum TLS version. Since the server in question supports TLS versions 1.2 and 1.3 only, I'm getting the following error: [boringssl] boringssl_context_handle_fatal_alert(1763) [C[C5.1:1]:1][0x11e8a5350] read alert, level: fatal, description: protocol version [boringssl] boringssl_session_handshake_incomplete(90) [C[C5.1:1]:1][0x11e8a5350] SSL library error [boringssl] boringssl_session_handshake_error_print(41) [C[C5.1:1]:1][0x11e8a5350] Error: 4320212808:error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-351.40.2/ssl/tls_record.cc:592:SSL alert number 70 [boringssl] nw_protocol_boringssl_handshake_negotiate_proceed(767) [C[C5.1:1]:1][0x11e8a5350] handshake failed at state 12288: not completed This is despite the following code to establish the TLS options: // This is called from inside the input handler, when we receive a packet instructing to change to TLS - (void) configureTLS: (nw_framer_t) framer { // Setup the TLS options: nw_protocol_options_t tlsOptions = nw_tls_create_options(); // Set the various security options: sec_protocol_options_t secOptions = nw_tls_copy_sec_protocol_options( tlsOptions ); sec_protocol_options_set_max_tls_protocol_version( secOptions, tls_protocol_version_TLSv13 ); sec_protocol_options_set_min_tls_protocol_version( secOptions, tls_protocol_version_TLSv12 ); sec_protocol_options_append_tls_ciphersuite_group( secOptions, tls_ciphersuite_group_default ); sec_protocol_options_set_peer_authentication_required( secOptions, false ); // Add TLS to the protocol stack: nw_framer_prepend_application_protocol( framer, tlsOptions ); // PRepare for use: nw_framer_pass_through_input( framer ); nw_framer_pass_through_output( framer ); nw_framer_mark_ready( framer ); } I've sadly not seen any similar errors in my travels so far (other than this, which doesn't seem to help. Any hints how I can force the minimum TLS version?
Posted
by simwilson.
Last updated
.