[英]How can I prevent my app from downgrading from TLSv1.2 on iOS 8?
I am trying to restrict my app from communicating with a server that is running any version of TLS prior to 1.2. 我试图限制我的应用与运行1.2之前的任何版本的TLS的服务器进行通信。 From the docs, it appears that I should be able to do this by calling
SSLSetProtocolVersionMin
, so I have done that: 从文档看来,我应该可以通过调用
SSLSetProtocolVersionMin
来做到这SSLSetProtocolVersionMin
,所以我做到了:
SSLContextRef context = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
SSLSetProtocolVersionMax(context, kTLSProtocol12);
SSLSetProtocolVersionMin(context, kTLSProtocol12);
I have verified that the call to SSLSetProtocolVersionMin
does not return an error, but I am still able to connect to servers that negotiate down to SSLv3. 我已经验证了对
SSLSetProtocolVersionMin
的调用不会返回错误,但是我仍然能够连接到协商为SSLv3的服务器。
SSLSetProtocolVersionMax
appears to work correctly, as when I set it to TLSv1.1 and the server to TLSv1.2 only, I cannot connect to the server. SSLSetProtocolVersionMax
似乎可以正常工作,因为当我将其设置为TLSv1.1并将服务器设置为仅TLSv1.2时,我无法连接到服务器。
It appears that this works as expected on iOS 9. Does anybody know if this is not supported in iOS 8, or if there are other steps I need to take? 看来这在iOS 9上可以正常工作。有人知道iOS 8不支持此操作吗,还是我需要采取其他步骤?
You can configure iOS to only connect to servers meeting a minimum TLS version using Apple's new Application Transport Security in iOS 9. 您可以使用iOS 9中苹果新的应用程序传输安全性,将iOS配置为仅连接到满足最低TLS版本的服务器。
You can add code like the following to your Info.plist file: 您可以将以下代码添加到Info.plist文件中:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com</key>
<dict>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>1.2<string/>
</dict>
</dict>
</dict>
You can take a look at the WWDC video . 您可以看一下WWDC视频 。
EDIT: 编辑:
I see you added to your question to state that you need to accomplish this on iOS 8, which does not have ATS. 我看到您添加到问题中,指出您需要在没有ATS的iOS 8上完成此操作。 But hopefully this answer will help those using iOS 9 and that need to do this, since the original question did not include this limitation.
但是希望这个答案将对那些使用iOS 9并需要这样做的人有所帮助,因为原始问题不包括此限制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.