使用带有AFNetworking的SSLSetEnabledCiphers来禁用弱密码 [英] Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers
问题描述
我正在尝试禁用某些密码(弱),例如单个DES,单个DES 40位等。
I am trying to disable some ciphers (weak) such as single DES, single DES 40 bit etc.
我尝试过使用这段代码< a href =https://stackoverflow.com/questions/1954971/how-does-one-set-ssl-ciphers-when-using-cfsocket-cfstream-in-cocoa>如何在使用CFSocket时设置SSL密码/ CFStream in Cocoa?和邮件列表消息 CFNetwork SSL和长阻塞延迟但我需要访问套接字数据才能获得 CFDataRef 。
I've tried using this bit of code from How does one set SSL ciphers when using CFSocket/CFStream in Cocoa? and from mailing list message CFNetwork SSL and long blocking delays but I need access to socket data to get the CFDataRef.
这是我试图在握手方法中插入的代码 AFURLConnectionOperation class:
Here is the code that I tried to insert in the handshake method in AFURLConnectionOperation class:
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge (NSURLAuthenticationChallenge *)challenge{
CFReadStreamRef stream = [sock getCFReadStream];
CFDataRef data = CFReadStreamCopyProperty(stream, kCFStreamPropertySocketSSLContext);
// Extract the SSLContextRef from the CFData
SSLContextRef sslContext;
CFDataGetBytes(data, CFRangeMake(0, sizeof(SSLContextRef)), &sslContext);
// Get all enabled ciphers
size_t numCiphers;
SSLGetNumberEnabledCiphers(sslContext,&numCiphers);
SSLCipherSuite ciphers[numCiphers];
SSLGetEnabledCiphers(sslContext,ciphers,&numCiphers);
// Create a new cipher array with only non-DH ciphers, and set it
SSLCipherSuite finalCiphers[numCiphers];
int numFinalCiphers = 0;
for(int i=0; i<numCiphers; i++) {
SSLCipherSuite suite = ciphers[i];
if(!cipherSuiteUsesDH(suite)) {
finalCiphers[numFinalCiphers] = suite;
numFinalCiphers++;
}
}
SSLSetEnabledCiphers(sslContext,finalCiphers,numFinalCiphers);
}
任何和所有帮助将不胜感激。
Any and all help would be appreciated.
编辑:不幸的是,这是一个现有的项目,它仍然使用AFNetworking的第1版。
Unfortunately this is an existing project and it still uses version 1 of AFNetworking.
推荐答案
使用带有AFNetworking的SSLSetEnabledCiphers来禁用弱密码
Using SSLSetEnabledCiphers with AFNetworking to disable weak ciphers
好的,这个引起了我的兴趣,因为它是我用其他语言做的,但不是Cocoa / CocoaTouch。它已经在我的TODO列表上了一段时间。答案是你在处理高级对象时不能这样做,比如 NSURLConnection 。
OK, this one piqued my interest because its something I do in other languages, but not Cocoa/CocoaTouch. Its been on my TODO list for some time. The answer is you can't do it when working with the high level objects like NSURLConnection.
我可以 not 找到一种方法来弥补 NSURLConnection 和朋友之间的差距以及设置密码套装所需的低级别内容。如果你有兴趣,那么低级别的最高是 CFSocketStream 。所以工作是获得 NSURLConnection 来使用 CFSocketStream (或访问 CFSocketStream 在 NSURLConnection 中。
I could not find a way to bridge the gap between NSURLConnection and friends and the low level stuff needed to set the cipher suits. If you are interested, the "highest" the low level stuff goes is CFSocketStream. So the job is to get NSURLConnection to work with a CFSocketStream (or access the CFSocketStream in the NSURLConnection).
我还在Apple的网络编程邮件列表,Jens和Quinn都证实了这一点(Quinn提供了
I also mirrored your question on Apple's Network Programming mailing list, and both Jens and Quinn confirmed it (Quinn provided the info on CFSocketStream). See Configure socket used by NSURLConnection?.
另外,如果您没有意识到这一点,尝试修改 -connection:didReceiveAuthenticationChallenge:中的属性为时已晚。当您获得身份验证质询时,握手已在进行中(即 ClientHello 已经发送)。
Also, in case you did not realize it, attempting to modify the properties in -connection:didReceiveAuthenticationChallenge: is too late. By the time you get the authentication challenge, the handshake is already in progress (i.e., the ClientHello has already been sent).
如果您确实设法找到了黑客,那么请发布。
If you do manage to find a hack to do it, then please post it.
这篇关于使用带有AFNetworking的SSLSetEnabledCiphers来禁用弱密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
