Hello,
I run into at least a couple of posts (here and here) that appear to have a very similar if not the same question, both aswered by Eskimo. I saw his observations about why it makes sense to configure the specific set of ciphers to be configured in the server and I agree with the observation when the server is totally in your control.
We have a business/security requirement to in addition of the server, also limit the TLS session to only support a specific subset of cipher suites. I think the case in mind is that our app may be configured to connect to server endpoints where we are not necessarily in control of, and to minimize security gaps, we would like to also from the client side support only a specific subset of suites.
Our networking layer uses NSURLSession as we know that's the general recommendation, if this API does not support it, what are our options to be able to comply with our requirement?
I found a lower-level API Secure Transport framework that has some functions to retrieve/set cipher suites, but it seems these APIs are mostly deprecated now. This documentation refers us to use the newer Network framework instead, I noticed some TLS related APIs, such as TLS Options, but nothing specific for ciphers.
Any advice?
I run into at least a couple of posts (here and here) that appear to have a very similar if not the same question, both aswered by Eskimo. I saw his observations about why it makes sense to configure the specific set of ciphers to be configured in the server and I agree with the observation when the server is totally in your control.
We have a business/security requirement to in addition of the server, also limit the TLS session to only support a specific subset of cipher suites. I think the case in mind is that our app may be configured to connect to server endpoints where we are not necessarily in control of, and to minimize security gaps, we would like to also from the client side support only a specific subset of suites.
Our networking layer uses NSURLSession as we know that's the general recommendation, if this API does not support it, what are our options to be able to comply with our requirement?
I found a lower-level API Secure Transport framework that has some functions to retrieve/set cipher suites, but it seems these APIs are mostly deprecated now. This documentation refers us to use the newer Network framework instead, I noticed some TLS related APIs, such as TLS Options, but nothing specific for ciphers.
Any advice?