Skip to content

Security

Jump to bottom Edit New page
Spencer MacDonald edited this page May 3, 2014 · 6 revisions

##TLS/SSL

The XMPPStream automatically uses TLS if it is required by a XMPP Server. To start TLS regardless of whether it is optional or required by a XMPP server, set the startTLSPolicy property on XMPPStream to XMPPStreamStartTLSPolicyRequired

xmppStream.startTLSPolicy = XMPPStreamStartTLSPolicyRequired;

##Security Settings

Immediately prior to the stream being secured via TLS/SSL the xmppStream:willSecureWithSettings: method is called, within this method you can configure the following Stream Security Settings:

kCFStreamSSLLevel
kCFStreamSSLAllowsExpiredCertificates
kCFStreamSSLAllowsExpiredRoots
kCFStreamSSLAllowsAnyRoot
kCFStreamSSLValidatesCertificateChain
kCFStreamSSLPeerName
kCFStreamSSLCertificates

and the following GCDAsyncSocket Security Settings:

GCDAsyncSocketSSLCipherSuites
GCDAsyncSocketSSLDiffieHellmanParameters
GCDAsyncSocketSSLClientSideAuthentication

###Self Signed Certificates

To allow Self Signed Certificates, set the kCFStreamSSLAllowsAnyRoot setting to @YES:

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
    [settings setObject:@YES forKey:(NSString *)kCFStreamSSLAllowsAnyRoot];
}

###Host Name Mismatch To allow certificates with a Host Name Mismatch, set the kCFStreamSSLPeerName setting to [NSNull null]:

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
    [settings setObject:[NSNull null] forKey:(NSString *)kCFStreamSSLPeerName];
}

###Cipher Suites

This is an advanced setting, do not set this unless you understand the consequences.

To set the supported Cipher Suites, set the GCDAsyncSocketSSLCipherSuites to an array of NSNumber each of which represents a SSLCipherSuite:

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
  NSMutableArray *cipherSuites = [NSMutableArray array];
  size_t numberOfCiphers = 0;
  
  SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
  SSLGetNumberSupportedCiphers(sslContext, &numberOfCiphers);
  
  SSLCipherSuite ciphers[numberOfCiphers];
  
  SSLGetSupportedCiphers(sslContext, ciphers, &numberOfCiphers);
  
  for (NSUInteger index = 0; index < numberOfCiphers; index++) 
  {
    NSNumber *cipher = [NSNumber numberWithUnsignedShort:ciphers[index]];
    [cipherSuites addObject:cipher];
  }
  
  [settings setObject:cipherSuites forKey:GCDAsyncSocketSSLCipherSuites];
}
Add a custom footer
Add a custom sidebar
Clone this wiki locally