Make TLS security level an option

Default level by default.
2019-05-08 15:58:29 +02:00 · 2019-05-08 15:58:29 +02:00 · 3a136bdce9
parent 82f0431303
commit 3a136bdce9
2 changed files with 13 additions and 1 deletions
--- a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
+++ b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift
@ -197,6 +197,9 @@ extension SessionProxy {
        /// The optional TLS wrapping.
        public var tlsWrap: SessionProxy.TLSWrap?
        
+        /// If set, overrides TLS security level (0 = lowest).
+        public var tlsSecurityLevel: Int?
+        
        /// Sends periodical keep-alive packets if set.
        public var keepAliveInterval: TimeInterval?
        
@ -273,6 +276,7 @@ extension SessionProxy {
                clientCertificate: clientCertificate,
                clientKey: clientKey,
                tlsWrap: tlsWrap,
+                tlsSecurityLevel: tlsSecurityLevel,
                keepAliveInterval: keepAliveInterval,
                renegotiatesAfter: renegotiatesAfter,
                hostname: hostname,
@ -338,6 +342,9 @@ extension SessionProxy {
        /// - Seealso: `SessionProxy.ConfigurationBuilder.tlsWrap`
        public let tlsWrap: TLSWrap?

+        /// - Seealso: `SessionProxy.ConfigurationBuilder.tlsSecurityLevel`
+        public let tlsSecurityLevel: Int?
+
        /// - Seealso: `SessionProxy.ConfigurationBuilder.keepAliveInterval`
        public let keepAliveInterval: TimeInterval?

@ -427,6 +434,7 @@ extension SessionProxy.Configuration {
        builder.clientCertificate = clientCertificate
        builder.clientKey = clientKey
        builder.tlsWrap = tlsWrap
+        builder.tlsSecurityLevel = tlsSecurityLevel
        builder.keepAliveInterval = keepAliveInterval
        builder.renegotiatesAfter = renegotiatesAfter
        builder.hostname = hostname
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@ -792,12 +792,16 @@ public class SessionProxy {

            log.debug("Start TLS handshake")

-            negotiationKey.tlsOptional = TLSBox(
+            let tls = TLSBox(
                caPath: caURL.path,
                clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil,
                clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil,
                checksEKU: configuration.checksEKU ?? false
            )
+            if let tlsSecurityLevel = configuration.tlsSecurityLevel {
+                tls.securityLevel = tlsSecurityLevel
+            }
+            negotiationKey.tlsOptional = tls
            do {
                try negotiationKey.tls.start()
            } catch let e {