使用NSURLConnection时,Mac OS 10.9以上版本的默认SSLLevel
[英]Default SSLLevel on Mac OS 10.9 onwards when using NSURLConnection
问题描述
We have a legacy app which gets built against Mac 10.6 sdk. 
我们有一个基于Mac 10.6 sdk构建的旧版应用程序。 We are making use of NSURLMutableRequest and NSURLConnection to make web calls. 我们正在使用NSURLMutableRequest和NSURLConnection进行Web调用。 Using Wireshark, I have noticed that on 10.9 - 10.11.2 all these calls get made on TLSv1. 使用Wireshark,我注意到在10.9-10.11.2上,所有这些调用都是在TLSv1上进行的。 On 10.11.6 onwards(also 10.13 beta) these get made on TLSv1.2 . 从10.11.6起(也是10.13 beta),这些都是在TLSv1.2上实现的 。
I changed the code to force TLSv1.2 using CFURLRequestSetSSLProperties (dlsym) . 我更改了代码以使用CFURLRequestSetSSLProperties (dlsym)强制使用CFURLRequestSetSSLProperties 。 I set kCFStreamSSLLevel to " kCFStreamSocketSecurityLevelTLSv1_2 ". 我将kCFStreamSSLLevel为“ kCFStreamSocketSecurityLevelTLSv1_2 ”。 After these I can see that calls get made on TLSv1.2 now. 这些之后,我可以看到现在在TLSv1.2上进行了调用。
From Apple documentation on kCFStreamSSLLevel : 来自Apple文档kCFStreamSSLLevel :
By default, a stream's security level is kCFStreamSocketSecurityLevelNegotiatedSSL.
and from kCFStreamSocketSecurityLevelNegotiatedSSL : 和从kCFStreamSocketSecurityLevelNegotiatedSSL :
Specifies that the highest level security protocol that can be negotiated be set as the security protocol for a socket stream.
I know that TLSv1.2 is supported on 10.9. 我知道10.9支持TLSv1.2。 As a test, I set kCFStreamSSLLevel to kCFStreamSocketSecurityLevelNegotiatedSSL and on 10.9 it still made calls to TLSv1 . 作为测试,我将kCFStreamSSLLevel为kCFStreamSocketSecurityLevelNegotiatedSSL并在10.9上仍对TLSv1进行了调用。
I have 2 questions : 我有两个问题:
Why do calls gets made on TLSv1 for 10.9-10.11.2?
为什么在TLSv1上进行了10.9-10.11.2的呼叫? Shouldn't they automatically choose highest version available ie TLSv1.2 . 他们不应该自动选择可用的最高版本,即TLSv1.2 。 When using
kCFStreamSocketSecurityLevelTLSv1_2, is there fallback to lower versions if server doesn't support TLSv1.2 or the call will simply fail?使用kCFStreamSocketSecurityLevelTLSv1_2,如果服务器不支持TLSv1.2或调用将完全失败,是否会降级到较低版本? I found this while checking :我在检查时发现了这一点:
kCFStreamSocketSecurityLevelNegotiatedSSL
Discussion: Stream property value, for both set and copy operations.
There's no such declaration for kCFStreamSocketSecurityLevelTLSv1_2 or even kCFStreamSocketSecurityLevelTLSv1 . 对于kCFStreamSocketSecurityLevelTLSv1_2甚至kCFStreamSocketSecurityLevelTLSv1没有这样的声明。 So will they fallback to lowers versions or not? 那么它们是否会降级到较低版本?
1 个解决方案
解决方案1
1 已采纳 2017-10-09 20:06:39
IIRC, the version-specific constants set a specific version, and it will not negotiate any other version. IIRC,特定于版本的常量设置特定的版本,并且它不会协商任何其他版本。 Negotiate, by contrast, allows it to negotiate any version that has not been blacklisted by Apple because of security concerns (eg SSLv3). 相比之下,“协商”允许它协商由于安全考虑而未被Apple列入黑名单的任何版本(例如SSLv3)。
Thus, my recollection is that the general advice is to always use Negotiate on the client side unless you are required to use a specific version to enable support for a host that is incapable of using newer versions of SSL/TLS or for servers that don't support negotiation correctly, and then to always set your servers to accept only the most recent version (or slightly older, if needed to support older clients). 因此,我的回忆是,一般的建议是始终在客户端使用Negotiate,除非要求您使用特定版本来为无法使用较新版本的SSL / TLS的主机或不支持SSL / TLS的服务器启用支持。 t正确支持协商,然后始终将您的服务器设置为仅接受最新版本(或如果需要支持较旧的客户端,则将其设置为稍旧)。
The advantage to that approach is that your client code won't have to change as Apple adds new versions and deprecates old ones, and the server is presumably under your direct control, so you can change it at any time without forcing your users to download a software update. 这种方法的优势在于,您无需更改客户端代码,因为Apple添加了新版本并弃用了旧版本,并且服务器大概在您的直接控制之下,因此您可以随时更改它而不必强迫用户下载软件更新。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.