From e8e03feed8f6603f0f95723b85bd2d8c5ae2e21e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Thu, 6 Mar 2025 10:32:29 +0100 Subject: [PATCH 1/2] Support using TLS 1.3 kCFStreamSocketSecurityLevelNegotiatedSSL is the only public non-deprecated constant which should negotiate connections with TLS >= 1.2. --- SocketRocket/SRSecurityPolicy.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SocketRocket/SRSecurityPolicy.m b/SocketRocket/SRSecurityPolicy.m index 3759d26e4..bd0883028 100644 --- a/SocketRocket/SRSecurityPolicy.m +++ b/SocketRocket/SRSecurityPolicy.m @@ -57,7 +57,7 @@ - (instancetype)init - (void)updateSecurityOptionsInStream:(NSStream *)stream { // Enforce TLS 1.2 - [stream setProperty:(__bridge id)CFSTR("kCFStreamSocketSecurityLevelTLSv1_2") forKey:(__bridge id)kCFStreamPropertySocketSecurityLevel]; + [stream setProperty:(__bridge id)kCFStreamSocketSecurityLevelNegotiatedSSL forKey:(__bridge id)kCFStreamPropertySocketSecurityLevel]; // Validate certificate chain for this stream if enabled. NSDictionary *sslOptions = @{ (__bridge NSString *)kCFStreamSSLValidatesCertificateChain : @(self.certificateChainValidationEnabled) }; From c0454ae526c353fb97aaabadbd86eff72be23735 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Thu, 6 Mar 2025 10:34:02 +0100 Subject: [PATCH 2/2] fixup: update comment --- SocketRocket/SRSecurityPolicy.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SocketRocket/SRSecurityPolicy.m b/SocketRocket/SRSecurityPolicy.m index bd0883028..271477e8f 100644 --- a/SocketRocket/SRSecurityPolicy.m +++ b/SocketRocket/SRSecurityPolicy.m @@ -56,7 +56,7 @@ - (instancetype)init - (void)updateSecurityOptionsInStream:(NSStream *)stream { - // Enforce TLS 1.2 + // Enforce TLS >= 1.2 [stream setProperty:(__bridge id)kCFStreamSocketSecurityLevelNegotiatedSSL forKey:(__bridge id)kCFStreamPropertySocketSecurityLevel]; // Validate certificate chain for this stream if enabled.