From a5ff2222858d718a12f59fed25633dfbda0bd804 Mon Sep 17 00:00:00 2001 From: Ralph Shao Date: Mon, 1 Apr 2013 19:15:40 -0400 Subject: [PATCH 1/2] make it use correct ssl settings for ios 5.0 and 5.0.1 --- Classes/ASIHTTPRequest.m | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/Classes/ASIHTTPRequest.m b/Classes/ASIHTTPRequest.m index 8dd162c3..213446cb 100644 --- a/Classes/ASIHTTPRequest.m +++ b/Classes/ASIHTTPRequest.m @@ -1211,14 +1211,17 @@ - (void)startRequest if (![self validatesSecureCertificate]) { // see: http://iphonedevelopment.blogspot.com/2010/05/nsstream-tcp-and-ssl.html - NSDictionary *sslProperties = [[NSDictionary alloc] initWithObjectsAndKeys: - [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates, - [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot, - [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain, - kCFNull,kCFStreamSSLPeerName, - nil]; - - CFReadStreamSetProperty((CFReadStreamRef)[self readStream], + NSMutableDictionary *sslProperties = [[NSMutableDictionary alloc] initWithObjectsAndKeys: + [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates, + [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot, + [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain, + kCFNull,kCFStreamSSLPeerName, + nil]; + if ([[[UIDevice currentDevice] systemVersion] compare:@"5.0" options:NSNumericSearch] != NSOrderedAscending && [[[UIDevice currentDevice] systemVersion] compare:@"5.1" options:NSNumericSearch] == NSOrderedAscending) { + [sslProperties setObject:@"kCFStreamSocketSecurityLevelTLSv1_0SSLv3" forKey:kCFStreamSSLLevel]; + } + + CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, (CFTypeRef)sslProperties); [sslProperties release]; @@ -1227,9 +1230,12 @@ - (void)startRequest // Tell CFNetwork to use a client certificate if (clientCertificateIdentity) { NSMutableDictionary *sslProperties = [NSMutableDictionary dictionaryWithCapacity:1]; + if ([[[UIDevice currentDevice] systemVersion] compare:@"5.0" options:NSNumericSearch] != NSOrderedAscending && [[[UIDevice currentDevice] systemVersion] compare:@"5.1" options:NSNumericSearch] == NSOrderedAscending) { + [sslProperties setObject:@"kCFStreamSocketSecurityLevelTLSv1_0SSLv3" forKey:kCFStreamSSLLevel]; + } NSMutableArray *certificates = [NSMutableArray arrayWithCapacity:[clientCertificates count]+1]; - + // The first object in the array is our SecIdentityRef [certificates addObject:(id)clientCertificateIdentity]; From 55b00e233674557db3e953bc98330249edb2d89b Mon Sep 17 00:00:00 2001 From: Ralph Shao Date: Mon, 29 Apr 2013 11:36:45 -0400 Subject: [PATCH 2/2] revised ssl settings -- last commit didn't work unless validation was turned off or client certificates were used --- Classes/ASIHTTPRequest.m | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/Classes/ASIHTTPRequest.m b/Classes/ASIHTTPRequest.m index 213446cb..c5f9d44a 100644 --- a/Classes/ASIHTTPRequest.m +++ b/Classes/ASIHTTPRequest.m @@ -1207,33 +1207,24 @@ - (void)startRequest if([[[[self url] scheme] lowercaseString] isEqualToString:@"https"]) { + NSMutableDictionary *sslProperties = [[NSMutableDictionary alloc] init]; + // Tell CFNetwork not to validate SSL certificates if (![self validatesSecureCertificate]) { // see: http://iphonedevelopment.blogspot.com/2010/05/nsstream-tcp-and-ssl.html - NSMutableDictionary *sslProperties = [[NSMutableDictionary alloc] initWithObjectsAndKeys: - [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates, - [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot, - [NSNumber numberWithBool:NO], kCFStreamSSLValidatesCertificateChain, - kCFNull,kCFStreamSSLPeerName, - nil]; - if ([[[UIDevice currentDevice] systemVersion] compare:@"5.0" options:NSNumericSearch] != NSOrderedAscending && [[[UIDevice currentDevice] systemVersion] compare:@"5.1" options:NSNumericSearch] == NSOrderedAscending) { - [sslProperties setObject:@"kCFStreamSocketSecurityLevelTLSv1_0SSLv3" forKey:kCFStreamSSLLevel]; - } + [sslProperties setObject:[NSNumber numberWithBool:YES] forKey:kCFStreamSSLAllowsExpiredCertificates]; + [sslProperties setObject:[NSNumber numberWithBool:YES] forKey:kCFStreamSSLAllowsAnyRoot]; + [sslProperties setObject:[NSNumber numberWithBool:NO] forKey:kCFStreamSSLValidatesCertificateChain]; + [sslProperties setObject:kCFNull forKey:kCFStreamSSLPeerName]; CFReadStreamSetProperty((CFReadStreamRef)[self readStream], - kCFStreamPropertySSLSettings, + kCFStreamPropertySSLSettings, (CFTypeRef)sslProperties); - [sslProperties release]; } // Tell CFNetwork to use a client certificate if (clientCertificateIdentity) { - NSMutableDictionary *sslProperties = [NSMutableDictionary dictionaryWithCapacity:1]; - if ([[[UIDevice currentDevice] systemVersion] compare:@"5.0" options:NSNumericSearch] != NSOrderedAscending && [[[UIDevice currentDevice] systemVersion] compare:@"5.1" options:NSNumericSearch] == NSOrderedAscending) { - [sslProperties setObject:@"kCFStreamSocketSecurityLevelTLSv1_0SSLv3" forKey:kCFStreamSSLLevel]; - } - NSMutableArray *certificates = [NSMutableArray arrayWithCapacity:[clientCertificates count]+1]; // The first object in the array is our SecIdentityRef @@ -1249,6 +1240,13 @@ - (void)startRequest CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, sslProperties); } + if ([[[UIDevice currentDevice] systemVersion] compare:@"5.0" options:NSNumericSearch] != NSOrderedAscending && [[[UIDevice currentDevice] systemVersion] compare:@"5.1" options:NSNumericSearch] == NSOrderedAscending) { + [sslProperties setObject:@"kCFStreamSocketSecurityLevelTLSv1_0SSLv3" forKey:kCFStreamSSLLevel]; + CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, sslProperties); + } + + [sslProperties release]; + } //