CODEWITHSUNDEEP
iossecurityxmppxmppframework
vishnuvarthan
vishnuvarthan

Reputation: 512

XMPPFramework - Security Options

I want to implement server side security using XMPPFramework.Server has to validate certificates from client before establishing connection. I found out that there are these methods which could do this:

kCFStreamSSLLevel
kCFStreamSSLAllowsExpiredCertificates
kCFStreamSSLAllowsExpiredRoots
kCFStreamSSLAllowsAnyRoot
kCFStreamSSLValidatesCertificateChain
kCFStreamSSLPeerName
kCFStreamSSLCertificates

But I don't know what are used for what. Can anyone help me what and how to use these methods for server side security? Server is Openfire and client is iOS device.

Upvotes: 2

Views: 3047

Answers (2)

Nick Anger
Nick Anger

Reputation: 172

Just have the diagnostics ignore it until a replacement method can be developed. Use this above the effected code.
#pragma clang diagnostic ignored "-Wdeprecated-declarations"

Upvotes: 1

Keith OYS
Keith OYS

Reputation: 2305

Unfortunately, the following 5 security options you listed has been deprecated.

kCFStreamSSLLevel
kCFStreamSSLAllowsExpiredCertificates
kCFStreamSSLAllowsExpiredRoots
kCFStreamSSLAllowsAnyRoot
kCFStreamSSLValidatesCertificateChain

From XMPPFramework - GCDAsyncSocket:

* ==== The following UNAVAILABLE KEYS are: (with throw an exception)
 * 
 * - kCFStreamSSLAllowsAnyRoot (UNAVAILABLE)
 *     You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
 *     Corresponding deprecated method: SSLSetAllowsAnyRoot
 * 
 * - kCFStreamSSLAllowsExpiredRoots (UNAVAILABLE)
 *     You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
 *     Corresponding deprecated method: SSLSetAllowsExpiredRoots
 *
 * - kCFStreamSSLAllowsExpiredCertificates (UNAVAILABLE)
 *     You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
 *     Corresponding deprecated method: SSLSetAllowsExpiredCerts
 *
 * - kCFStreamSSLValidatesCertificateChain (UNAVAILABLE)
 *     You MUST use manual trust evaluation instead (see GCDAsyncSocketManuallyEvaluateTrust).
 *     Corresponding deprecated method: SSLSetEnableCertVerify
 *
 * - kCFStreamSSLLevel (UNAVAILABLE)
 *     You MUST use GCDAsyncSocketSSLProtocolVersionMin & GCDAsyncSocketSSLProtocolVersionMin instead.
 *     Corresponding deprecated method: SSLSetProtocolVersionEnabled
 *
 * 
 * Please refer to Apple's documentation for corresponding SSLFunctions.

As for the other 2 options,

From Apple Documentation - Secure Transport Reference:

Call SSLSetPeerDomainName to specify the fully-qualified domain name of the peer to which you want to connect (optional but highly recommended).

Call SSLSetCertificate to specify the certificate to be used in authentication (required for server side, optional for client).

Your best bet would be to:

Use

GCDAsyncSocketManuallyEvaluateTrust in xmppStream:willSecureWithSettings:

Then

Validate your server's certificate in xmppStream:didReceiveTrust:.

Upvotes: 2

Related Questions