-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Security
The XMPPStream automatically uses TLS if it is required by a XMPP Server. To start TLS regardless of whether it is optional or required by a XMPP server, set the startTLSPolicy property on XMPPStream to XMPPStreamStartTLSPolicyRequired
xmppStream.startTLSPolicy = XMPPStreamStartTLSPolicyRequired;Immediately prior to the stream being secured via TLS/SSL the xmppStream:willSecureWithSettings: method is called, to manually evaluate the connection GCDAsyncSocketManuallyEvaluateTrust must be added to the settings with a value of @(YES)
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
settings[GCDAsyncSocketManuallyEvaluateTrust] = @(YES);
}Then in the delegate method xmppStream:didReceiveTrust:completionHandler:, you can use SecTrustEvaluate (and related functions) to properly validate the peer.
- (void)xmppStream:(XMPPStream *)sender
didReceiveTrust:(SecTrustRef)trust
completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
{
completionHandler(YES);
}This is an advanced setting, do not set this unless you understand the consequences.
To set the supported Cipher Suites, set the GCDAsyncSocketSSLCipherSuites to an array of NSNumber each of which represents a SSLCipherSuite:
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
NSMutableArray *cipherSuites = [NSMutableArray array];
size_t numberOfCiphers = 0;
SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
SSLGetNumberSupportedCiphers(sslContext, &numberOfCiphers);
SSLCipherSuite ciphers[numberOfCiphers];
SSLGetSupportedCiphers(sslContext, ciphers, &numberOfCiphers);
for (NSUInteger index = 0; index < numberOfCiphers; index++)
{
NSNumber *cipher = [NSNumber numberWithUnsignedShort:ciphers[index]];
[cipherSuites addObject:cipher];
}
[settings setObject:cipherSuites forKey:GCDAsyncSocketSSLCipherSuites];
}