How to disable TLSv 1.0, 1.1, 1.3 and enable only TLSv 1.2 using NSURLSession API

Just as a reminder, TLS protocol negotiation works as follows:

1. In the Client Hello message, the client sends the server the maximum TLS version it supports and the list of cypher suites it supports.

2. The server looks at those and picks its preferred TLS version and cypher suite, sending that back to the client in the Server Hello message. Alternatively, if there’s no choice that’s acceptable to the server’s security policy, the server fails the connection.

3. The client checks the choice returned by the server against the client’s security policy. If it’s unacceptable, the client fails the connection.

On our server side we enabled only TLS 1.2 only so I need to disable other all version.

I’m confused. If your server only supports TLS 1.2, why do you care what TLS version iOS requests? As long as iOS supports TLS 1.2, it doesn’t matter what iOS tries to negotiate. Your server will always choose TLS 1.2.

Likewise for cypher suites. If the server requires that clients use a specific set of cypher suites, configure your server so that it only negotiates those cypher suites.

Server security policy has to be enforced on the server because enforcing it on the client is pointless: You can’t be guaranteed that only your client is connecting to the server.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for reply Please let know how to set cypher suites in NSURLSession.Please can you provide snippet of the code.

Please let know how to set cypher suites in

NSURLSession

.

NSURLSession

As before, if you care about security then you need to enforce that on the server. You should enable ATS in your client, which means the client will only use cypher suites that are generally considered secure, and thus configure your server to choose the most secure of the ones offered by the client.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Eskimo I have added the below keys in the info.plist.These keys working fine in iOS 11.0 but its not working on iOS 9 and iOS 10.Please let me know the on which iOS version these keys working. 1.NSIncludesSubdomains = NO 2.NSExceptionRequiresForwardSecrecy = NO 3.NSExceptionMinimumTLSVersion = 1.0 4.NSExceptionAllowsInsecureHTTPLoads = YES Thanks Manjunatha Kaliwal

All of these keys are supported by all versions of App Transport Security (ATS), that is, iOS 9 and later. As to what’s going wrong in your case, it’s hard to say because you’ve not given any information about what you expect the keys to do.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

And consider TLS 1.3 compatibility on server as soon as possible