Comments (12)
Fixed in 0.12.22. There was bug that was overriding the default cipher suite. This is fix. Actual setting of the cipher suites on macOS is currently not supported pending a rework of the way macOS cipher suites are handled.
from bluesslservice.
One other thing to be aware of, the cipher suites on macOS and Linux are named differently making them somewhat difficult to map. It's possible that you did not enable the proper cipher suites when configuring on Linux. Try setting the SSLService.Configuration.cipherSuite
variable to ALL
to enable all ciphers when configuring the SSLService
. On Linux, the current default is DEFAULT
.
from bluesslservice.
Within Kitura
, this same thing as above can be accomplished by passing ALL
as the value for the cipherSuite:
parameter on the SSLConfig
initializer you're using.
from bluesslservice.
I had tried a number of different cipher names. None of them seemed to work.
Since i was running Kitura on Ubuntu, i am assuming any string that works with the openssl cipher command should work as input to ciperSuite
eg:
openssl ciphers -v 'TLSv1.2'
I am going to test again with your latest patch.
from bluesslservice.
Your patch only changes the macOS side of things. The problem i am seeing is on the Linux path of the code base.
I ran a fresh set of tests and i have the same problem. Only the following ciphers are supported by BlueSSL for TLSv1.2
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
from bluesslservice.
I tried multiple cipher strings like "ALL", "TLSv1.2" and "DEFAULT" all failed with the same results
from bluesslservice.
The actual ciphers that are supported by BlueSSLService is limited to the ones that are supplied by your installation of OpenSSL. BlueSSLService does nothing more than call the relevant OpenSSL API to set the cipher suite depending on the setting past. What you are seeing is probably what the version of OpenSSL on your Linux box supports.
Yes, the patch covered only macOS. It was made as a result of your initial issue. It turned out that on macOS, BlueSSLService was not setting the proper default cipher suite.
from bluesslservice.
After a little more reading. It looks like BlueSSLService needs to implement the Diffie Hellman parameters for those ciphers to become available to the server.
Take a look at the following:
Link 1
Link 2 - Look at the section on Eliptical curve Diffie Hellman
The OpenSSL library on the Ubuntu system supports Perfect Forward Secrecy and the related ciphers. I have tested this using
Server
openssl s_server -accept <port> -cert <certfile> -key <private key>
Client
nscurl --ats-diagnostics https://server:port
from bluesslservice.
I'll take a look. No sure when I'll have time to get to it... In the meantime, I'll re-open this issue so I don't forget.
from bluesslservice.
After some testing, adding the following line to SSLService.main: prepareContext() function does enable the necessary ciphers to work with App Transport Security
SSL_CTX_ctrl(context, SSL_CTRL_SET_ECDH_AUTO, 1, nil)
One caveat is that this function is only available in OpenSSL v1.0.2+ , so this does not work with ubuntu-14.04
You can add this to prevent the function from executing on earlier version of OpenSSL
let ver: String = OPENSSL_VERSION_TEXT
if ver.contains("1.0.2") {
SSL_CTX_ctrl(context, SSL_CTRL_SET_ECDH_AUTO, 1, nil)
}
from bluesslservice.
Thanks for the research and the code snippet. I added the change to the latest version (0.12.23).
from bluesslservice.
The functionality has been added to version 0.12.26 however it must be enabled using a switch when building. See the README.md for more details.
from bluesslservice.
Related Issues (20)
- Data sending slowed down after using BlueSSLService HOT 7
- Forward Secrecy & App Transport Security test fails HOT 1
- Does not work with macOS in Terminal HOT 6
- Failing build under Linux HOT 7
- PKCS12 file not specified HOT 3
- iOS Product Target HOT 1
- Can we use an asymmetric key pair instead of a p12 for iOS? HOT 2
- Documentation example showing a TLS client needed HOT 4
- No such module 'SSLService' HOT 3
- BlueSSLService cannot be cross-compiled HOT 1
- Want to enable Pre-Shared Key communication using SSL Service class HOT 1
- BlueSSLService client cannot connect to stunnel server on windows HOT 1
- .
- Socket.read(...) unexpectedly returns 0 HOT 3
- The SSL methods are deprecated and not supported in iOS13 and Mac-catalina HOT 2
- Problem with expired certificate
- Socket does not write until data is read HOT 2
- Socket error: PKCS12 file not specified. HOT 1
- SSLRead bad certificate
- `verifyCallback` not being called
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bluesslservice.