iOS会破坏发送到服务器的TLS数据

时间:2012-06-30 03:16:04

标签: ios websocket ssl

我在iOS上使用SocketRocket或Unitt Web套接字库来执行安全的Web套接字时遇到同样的问题。我可以控制Java Web套接字服务器--Netty - 并且可以详细观察服务器端SSL / TLS数据。我使用端口6970作为插座。

在使用TLS握手正确打开客户端wss套接字后,我在第一次客户端数据写入时收到服务器错误,即Web套接字握手。客户端写入202个字节,服务器接收272个字节,并且消息验证代码在服务器上失败。我在服务器跟踪中看到了我的客户端数据,但它预先有8个字节的垃圾。

首先,我尝试在服务器上使用相同结果的SocketRocket库 - 握手后的坏MAC。我的Android版Unitt客户端工作得很好。我的JavaScript安全Web套接字代码也很有用。

在iOS / XCode上,我可以在Unitt / AsyncSocket / doSendBytes中调试CFWriteStreamWrite(...) - 它报告确实写入了202个客户端数据字节。但我对如何进一步调试感到茫然。在某个地方,iOS TLS框架在发送过程中破坏了我的客户端数据 - 我认为。

1 个答案:

答案 0 :(得分:0)

通过过滤掉与iOS不兼容的某些elipical曲线密码套件,我能够使用我的Java Netty服务器运行我的iOS安全Web套接字。这是我的代码...... 

/** the enabled SSL cipher suites */
private static String[] enabledCipherSuites;
/** the enabled SSL cipher suites lock */
private static final Object ENABLED_CIPHER_SUITES_LOCK = new Object();
/** the iOS incompatible cipher suites */
private static final List<String> iOSIncompatibleCipherSuites = new ArrayList<>();

/** Configures the SSL engine for client or for the server. Arranges the enabled ciphers to favor the
* most secure over the less secure, and omits the least secure ciphers.  Requires that the SSL server
* authenticate the client.
*
* @param sslEngine the SSL engine
* @param useClientMode the indicator whether the SSL engine is operating in client mode
* @param needClientAuth the indicator whether the server authenticates the client's SSL certificate
*/
public static synchronized void configureSSLEngine(
         final SSLEngine sslEngine,
         final boolean useClientMode,
         final boolean needClientAuth) {
  //Preconditions
  assert sslEngine != null : "sslEngine must not be null";

  if (useClientMode) {
    LOGGER.info("configuring SSL engine for the client side of the connection");
    sslEngine.setUseClientMode(true);
    sslEngine.setNeedClientAuth(false);
  } else {
    if (needClientAuth) {
      LOGGER.info("configuring SSL engine for the server side of the connection with required client authorization");
    } else {
      LOGGER.info("configuring SSL engine for the server side of the connection without required client authorization");
    }
    sslEngine.setUseClientMode(false);
    sslEngine.setNeedClientAuth(needClientAuth);
 }
  synchronized (ENABLED_CIPHER_SUITES_LOCK) {
    if (enabledCipherSuites == null) {
      iOSIncompatibleCipherSuites.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384");
      iOSIncompatibleCipherSuites.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
      iOSIncompatibleCipherSuites.add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA");
      iOSIncompatibleCipherSuites.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");

      // TLS_ECDHE_RSA_WITH_RC4_128_SHA is the negotiated cipher suite for iOS

      // select and arrange the highest security cipher suites and cache the result
      final String[] supportedCipherSuites = sslEngine.getSupportedCipherSuites();
      final List<String> enabledCipherSuitesList = new ArrayList<>(supportedCipherSuites.length);
      // The first pass selects 256 bit ciphers available with the Java Cryptography Extension (JCE)
      // Unlimited Strength Jurisdiction Policy Files, downloaded and installed from http://java.sun.com/javase/downloads/index.jsp .
      for (final String supportedCipherSuite : supportedCipherSuites) {
        if (supportedCipherSuite.contains("_256_") && !supportedCipherSuite.contains("_anon_")) {
          enabledCipherSuitesList.add(supportedCipherSuite);
        }
      }
      // The second pass selects 128 bit ciphers that use SHA hashing - its more secure than MD5 but slower.
      for (final String supportedCipherSuite : supportedCipherSuites) {
        if (supportedCipherSuite.contains("_128_") && !supportedCipherSuite.endsWith("_MD5") && !supportedCipherSuite.contains("_anon_")) {
          enabledCipherSuitesList.add(supportedCipherSuite);
        }
      }
      // The third pass selects 128 bit ciphers that use MD5 hashing.
      for (final String supportedCipherSuite : supportedCipherSuites) {
        if (supportedCipherSuite.contains("_128_") && supportedCipherSuite.endsWith("_MD5") && !supportedCipherSuite.contains("_anon_")) {
          enabledCipherSuitesList.add(supportedCipherSuite);
       }
      }
      // The fourth pass removes the iOS incompatible cipher suites
      enabledCipherSuitesList.removeAll(iOSIncompatibleCipherSuites);

      if (LOGGER.isDebugEnabled()) {
        LOGGER.debug("enabledCipherSuites: " + enabledCipherSuitesList);
      }
      final int enabledCipherSuitesList_size = enabledCipherSuitesList.size();
      enabledCipherSuites = new String[enabledCipherSuitesList_size];
      for (int i = 0; i < enabledCipherSuitesList_size; i++) {
        enabledCipherSuites[i] = enabledCipherSuitesList.get(i);
      }
    }
    sslEngine.setEnabledCipherSuites(enabledCipherSuites);
  }
}
相关问题
最新问题