Unable to make pre-shared key based wifi socket connection to server on iOS 13 Beta 7 about swift-nio-transport-services HOT 6 CLOSED

This is almost 100% not a swift-nio(-transport-services) issue. There are really two possibilities:

• Network.framework issue
• PSK (identity) incorrect

from swift-nio-transport-services.

Finally, it works when passing PSK Identity on

sec_protocol_options_set_pre_shared_key_selection_block

Working code is below:

if #available(iOS 13.0, *) {
                sec_protocol_options_set_pre_shared_key_selection_block(tlsOptions.securityProtocolOptions, { (sec, dispatchData, sec_protocol_pre_shared_key_selection_complete) in
                    sec_protocol_pre_shared_key_selection_complete(pskIdentity as __DispatchData)
                }, DispatchQueue(label: "com.psk"))
            } else {
                // Fallback on earlier versions
            }

Am closing this issue :)

Thanks, @weissi @Lukasa

from swift-nio-transport-services.

@ranmyfriend I can connect for TLS 1.2 - PSK using NIOTSConnectionBootstrap. But not able to do it for TLS 1.3 after adding ciphersuites like below:

sec_protocol_options_add_pre_shared_key(tlsOptions.securityProtocolOptions, psk as __DispatchData, identity as __DispatchData)
sec_protocol_options_add_tls_ciphersuite(tlsOptions.securityProtocolOptions, TLS_PSK_WITH_AES_128_GCM_SHA256)

     Can you elaborate on how PSK in Swift nio can be achieved for TLS 1.3. Am having trouble in connecting with TLS 1.3 through PSK. 

from swift-nio-transport-services.

@kalaivanivelusamy
Actually TLS 1.3 onwards the weak ciphers are not allowed. So apple they are restricting when it comes to security. Even though if you would have added into sec_protocol_options_add_tls_ciphersuite but not reached out to your server. you can clearly able to checkout using Wireshark Tool. So, for this we have enabled strong cipher on the server side which apple supports on TLS 1.3. Then we have added from our client side. This is the only solution we have figured out.

from swift-nio-transport-services.

@ranmyfriend thanx for the feedback. Actually server has strong cipher like CHACHA20_POLY1305_SHA256 and client is using 3 ciphersuites (.AES_128_GCM_SHA256, .AES_256_GCM_SHA384,.CHACHA20_POLY1305_SHA256)

wireshark shows client hello handshake is failed. On inspecting Client hello message, extensions like supported versions ,key share which are for 1.3 are missing in my client hello message.
sec_protocol_options_add_pre_shared_key. and sec_protocol_options_append_tls_ciphersuite are the extras am adding in client side to facilitate tls 1.3.

Am i missing any configuration in tlsoptions of this NIOTSConnectionBootstrap to support 1.3?

NIOTSConnectionBootstrap(group: group)
                     .channelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)
                     .tlsOptions(tlsOptions)
                     .connectTimeout(TimeAmount.seconds(10))
                     .channelInitializer { channel in
                            channel.pipeline.addHandler(self.handler)

from swift-nio-transport-services.

@kalaivanivelusamy
We have used RSA_WITH_AES_256_GCM_SHA384 cipher. and dont know about this .CHACHA20_POLY1305_SHA256. Check your Wireshark packet whether in the client hello call shows your cipher or not. and check with your server team as well.

from swift-nio-transport-services.