From 3a136bdce9f188499a57dc5f3215e5ad8777ee09 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Wed, 8 May 2019 15:58:29 +0200 Subject: [PATCH] Make TLS security level an option Default level by default. --- TunnelKit/Sources/Core/SessionProxy+Configuration.swift | 8 ++++++++ TunnelKit/Sources/Core/SessionProxy.swift | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift index fdade2a..aa0e65b 100644 --- a/TunnelKit/Sources/Core/SessionProxy+Configuration.swift +++ b/TunnelKit/Sources/Core/SessionProxy+Configuration.swift @@ -197,6 +197,9 @@ extension SessionProxy { /// The optional TLS wrapping. public var tlsWrap: SessionProxy.TLSWrap? + /// If set, overrides TLS security level (0 = lowest). + public var tlsSecurityLevel: Int? + /// Sends periodical keep-alive packets if set. public var keepAliveInterval: TimeInterval? @@ -273,6 +276,7 @@ extension SessionProxy { clientCertificate: clientCertificate, clientKey: clientKey, tlsWrap: tlsWrap, + tlsSecurityLevel: tlsSecurityLevel, keepAliveInterval: keepAliveInterval, renegotiatesAfter: renegotiatesAfter, hostname: hostname, @@ -338,6 +342,9 @@ extension SessionProxy { /// - Seealso: `SessionProxy.ConfigurationBuilder.tlsWrap` public let tlsWrap: TLSWrap? + /// - Seealso: `SessionProxy.ConfigurationBuilder.tlsSecurityLevel` + public let tlsSecurityLevel: Int? + /// - Seealso: `SessionProxy.ConfigurationBuilder.keepAliveInterval` public let keepAliveInterval: TimeInterval? @@ -427,6 +434,7 @@ extension SessionProxy.Configuration { builder.clientCertificate = clientCertificate builder.clientKey = clientKey builder.tlsWrap = tlsWrap + builder.tlsSecurityLevel = tlsSecurityLevel builder.keepAliveInterval = keepAliveInterval builder.renegotiatesAfter = renegotiatesAfter builder.hostname = hostname diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift index a655291..b1be4fa 100644 --- a/TunnelKit/Sources/Core/SessionProxy.swift +++ b/TunnelKit/Sources/Core/SessionProxy.swift @@ -792,12 +792,16 @@ public class SessionProxy { log.debug("Start TLS handshake") - negotiationKey.tlsOptional = TLSBox( + let tls = TLSBox( caPath: caURL.path, clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil, clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil, checksEKU: configuration.checksEKU ?? false ) + if let tlsSecurityLevel = configuration.tlsSecurityLevel { + tls.securityLevel = tlsSecurityLevel + } + negotiationKey.tlsOptional = tls do { try negotiationKey.tls.start() } catch let e {