Unable to set SSLContext on NSURLConnection and friends

Originator:noloader
Number:rdar://17904439 Date Originated:Aug 04, 2014
Status:Open Resolved:
Product:iOS SDK Product Version:7.1
Classification:Serious Bug Reproducible:Always
 
Summary:
I want to ensure my high level objects, like NSURLConnection, use approved protocols and cipher suites.

For example, I want my NSURLConnection to use TLS 1.0, 1.1 and 1.2 protocols. In addition I want to use the following cipher suites:

  * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            
  * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
            
  * TLS_DHE_RSA_WITH_AES_256_CBC_SHA384
  * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  * TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  * TLS_DHE_DSS_WITH_AES_128_CBC_SHA
            
  * TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  * SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA
  * SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA

For certain versions of SecureTransport, I need to remove TLS_ECDHE_ECDSA_* due to interop issues. I believe the problematic versions of SecureTransport include OS X 10.8 - 10.8.4 and iOS 7 - iOS 7.3.

Further, TLS 1.3 looks like it will be removing RSA transport schemes and DSS schemes. So they will need to be removed from the list as well.

Finally, keeping the cipher suite list small ensures the ClientHello is *not* dropped by broken appliances with a small fixed size buffer like F5 and IronPort. 16 cipher suites take 32 bytes, while a ClientHello with the full-blown Cipher Suite Zoo offers over 80 cipher suites and needs over 160 bytes.

We can do those things on an SSLContext, but we have no way to associate the context with the high level object.

Please provide a way to use a properly configured SSL context with a high level object, like NSURLConnection.

Related reading: "Configure socket used by NSURLConnection?", https://lists.apple.com/archives/macnetworkprog/2014/Jul/msg00072.html.

Steps to Reproduce:
Use an NSURLConnection, attempt to set SSL protocols and cipher suites.

Expected Results:
The ability to tune SSL protocols and cipher suites.

Actual Results:
No ability to tune SSL protocols and cipher suites.

Version:
iOS 7.1.2 (11D257)

Notes:
Please help. In the post-Snowden era, we have to be especially vigilant.

Configuration:
iPhone 4, MD146LL/A

Attachments:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!