NSURLSessionStreamTask not using TLS1.3

Hello,
I'm using NSURLSessionStreamTask to setup a bidirectional network connection.
While sniffing around with Wireshark, I noticed that the connection established with this API uses to TLS1.2. The other NSURLSessionDataTasks my application uses default to TLS1.3 without any TLS specific configuration


I also tried forcing the NSURLSession to use TLS 1.3 by setting the following configuration on the NSURLSession

+    [configuration setTLSMinimumSupportedProtocol:kTLSProtocol13];
+    [configuration setTLSMaximumSupportedProtocol:kTLSProtocol13];

However, I noticed no change to the connection in Wireshark when I did this (it continued to only negotiate TLS 1.2) (I also tried the setTLSMinimumSuppoertedProtocolVersion api).

Is there a different way to configure TLS for NSURLSessionStreamTask versus the other type of NSURLSessionTasks? Is there anythign else to try?

Up vote post of sonjeev Down vote post of sonjeev
692 views
Posted by
sonjeev
Reply
Add a Comment

Replies

I am assuming so but I wanted to ask; The NSURLSessionDataTasks requests are going to the same server where the TLS 1.3 connection is falling back to TLS 1.2 for NSURLSessionStreamTask, correct?


You mentioned that you were looking at the traffic with WireShark. This might actually tell us a bit about the issue. After the SYN -> SYN, ACK -> ACK sequence between the client and server, do you see a potential exchange of ciphers and a client/server hello? In the client hello do you see a field in the packet called supported_versions? If you see a supported_version value for TLS 1.3 (0x0304) AND you see a list of ciphers supported by TLS 1.3 in the Cipher Suites packet field (TLS_CHACHA20_POLY1305_SHA256, TLS_AES_256_GCM_SHA384) in the client hello packet, then you may want to take a look at your server. Your server could potentially be failing to negotiate this connection for some reason.

Posted by
megaton
Up vote reply of megaton Down vote reply of megaton
Add a Comment

Yeah, that is quite weird. You should definitely file a bug against 

NSURLSessionStreamTask
. Please post the bug number, just for the record.

And in the meantime, if you need TLS 1.3 over TCP then I’m going to recommend 

NWConnection
. I just ran a quick test and it definitely attempts a TLS 1.3 connection.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

>> I am assuming so but I wanted to ask; The NSURLSessionDataTasks requests are going to the same server where the TLS 1.3 connection is falling back to TLS 1.2 for NSURLSessionStreamTask, correct?
yes
>> In the client hello do you see a field in the packet called supported_versions?
For the TLS1.3 DataTask requests, I see the supported_versions block in the Client Hello message. For the StreamTask requests that only seem to negotiate TLS1.2, this supported_versions block is *missing* from the Client Hello.

Posted by
sonjeev
Up vote reply of sonjeev Down vote reply of sonjeev
Add a Comment

If this is the case then I agree with Quinn to file a bug on this.

> For the StreamTask requests that only seem to negotiate TLS1.2, this supported_versions block is *missing* from the Client Hello.

Posted by
megaton
Up vote reply of megaton Down vote reply of megaton
Add a Comment