在Cocoa中使用CFSocket / CFStream时，如何设置SSL密码？ [英] How does one set SSL ciphers when using CFSocket/CFStream in Cocoa?

问题描述

我最近需要在我们的应用程序中配置 CocoaHttpServer 成功地处理来自客户端应用程序的HTTPS连接（在Android设备上运行）。这很好 - 有丰富的示例代码允许这个，我们能够启用安全服务器没有问题。

I recently needed to configure CocoaHttpServer, which we're using in our application with success, to handle HTTPS connections coming from a client application (running on Android devices). This is fine - there is copious sample code which allows for this, and we were able to enable the secure server without issue.

在实践中，我们看到非常长的SSL协商而客户正在与我们的服务器进行握手，达70秒以上。

In practice we were seeing incredibly long SSL negotiation phases while the client was doing its handshaking with our server - upwards of 70 seconds.

通过一连串的搜索，我发现延迟是因为计算在CFSocket中启用SSL时，默认使用Diffie-Hellman参数。这个线程是我第一次开始找到解决我的问题。

Through a long series of searches, I found that the delay was because of the calculation of Diffie-Hellman parameters used by default when SSL is enabled in CFSocket. This thread is where I first started to find the answer to my issue.

要匹配我们的Windows服务器正在做的事情（使用安全性更低的SSL密码），我需要在Mac上明确设置密码，这是使用AsyncSocket作为套接字通信的包装器时，不要太容易。

To match what our Windows server was doing (using a less-secure SSL cipher) I needed to set the cipher explicitly on the Mac, which isn't easy when using AsyncSocket as a wrapper for the socket communications.

我们的Windows服务器正在使用：
TLS_RSA_WITH_RC4_128_MD5）（0x04）
RC4 128位数MD5 RSA

Our Windows server was using: TLS_RSA_WITH_RC4_128_MD5 )(0x04) RC4 128 bits MD5 RSA

我们的Macintosh服务器正在使用：
TLS_DHE_RSA_WITH_AES_256_CBC_SHA（0x039）
AES 256位SHA-1使用RSA的临时Diffie-Hellman密钥交换证书

Our Macintosh server was using: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x039) AES 256 bits SHA-1 Ephemeral Diffie-Hellman key exchange using RSA certificate

安全性的差异很大，但可能不值得我们看到的努力/计算/延迟。安全剧院？

The difference in "security" is large, but likely not worth the effort/computation/delay that we were seeing. Security Theater?

推荐答案

请注意，有不同的密码可以选择 - 我选择使用同一个作为我们的Windows实现一致性。

从另一个问题，我想出了如何将CFSocket的密码设置为与Windows相同，代码似乎现在相当好一点 - 真的很有效！ CFSocket不直接暴露SecureTransport支持，这使得这种困难，但是定义一个特定的键可以很好地工作。

With information from another question mentioned above, I figured out how to set the cipher for CFSocket to use the same as Windows, and the code appears to be now quite a bit better - like it really works! CFSocket isn't directly exposing the SecureTransport support, which makes this kind of hard, but defining a particular key makes it work nicely.

对于后代，这里是我的代码， ve添加到-onSocketWillConnect：在我们的HTTPConnection类中：

For posterity, here's the code I've added to -onSocketWillConnect: in our HTTPConnection class:

// define this value; it isn't exposed by CFSocketStream.h
const extern CFStringRef kCFStreamPropertySocketSSLContext;

...

CFReadStreamRef stream = [sock getCFReadStream];
CFDataRef data = (CFDataRef) CFReadStreamCopyProperty(stream, kCFStreamPropertySocketSSLContext);

// Extract the SSLContextRef from the CFData
SSLContextRef sslContext;
CFDataGetBytes(data, CFRangeMake(0, sizeof(SSLContextRef)), (UInt8*)&sslContext);
SSLCipherSuite *ciphers = (SSLCipherSuite *)malloc(1 * sizeof(SSLCipherSuite));
ciphers[0] = SSL_RSA_WITH_RC4_128_MD5; // Basic cipher - not Diffie-Hellman
SSLSetEnabledCiphers(sslContext, ciphers, 1);

我希望这可以帮助任何人在同一个问题上工作 - 我很乐意分享一些如果需要，可以提供更多的代码和建议。

I hope this helps anyone working through the same issue as I - I'd be happy to share some more code and advice if needed.

这篇关于在Cocoa中使用CFSocket / CFStream时，如何设置SSL密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！