-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Security
##TLS/SSL
The XMPPStream automatically uses TLS if it is required by a XMPP Server. To start TLS regardless of whether it is optional or required by a XMPP server, set the startTLSPolicy
property on XMPPStream
to XMPPStreamStartTLSPolicyRequired
xmppStream.startTLSPolicy = XMPPStreamStartTLSPolicyRequired;
##Security Settings
Immediately prior to the stream being secured via TLS/SSL the xmppStream:willSecureWithSettings:
method is called, to manually evaluate the connection GCDAsyncSocketManuallyEvaluateTrust
must be added to the settings with a value of @(YES)
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
settings[GCDAsyncSocketManuallyEvaluateTrust] = @(YES);
}
Then in the delegate method xmppStream:didReceiveTrust:completionHandler:
, you can use SecTrustEvaluate
(and related functions) to properly validate the peer.
- (void)xmppStream:(XMPPStream *)sender
didReceiveTrust:(SecTrustRef)trust
completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
{
completionHandler(YES);
}
###Cipher Suites
This is an advanced setting, do not set this unless you understand the consequences.
To set the supported Cipher Suites, set the GCDAsyncSocketSSLCipherSuites
to an array of NSNumber
each of which represents a SSLCipherSuite
:
- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
NSMutableArray *cipherSuites = [NSMutableArray array];
size_t numberOfCiphers = 0;
SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
SSLGetNumberSupportedCiphers(sslContext, &numberOfCiphers);
SSLCipherSuite ciphers[numberOfCiphers];
SSLGetSupportedCiphers(sslContext, ciphers, &numberOfCiphers);
for (NSUInteger index = 0; index < numberOfCiphers; index++)
{
NSNumber *cipher = [NSNumber numberWithUnsignedShort:ciphers[index]];
[cipherSuites addObject:cipher];
}
[settings setObject:cipherSuites forKey:GCDAsyncSocketSSLCipherSuites];
}