Secure Transport Reference
This document describes the public API for an implementation of the protocols Secure Sockets Layer version 3.0 and Transport Layer Security version 1.0.
There are no transport layer dependencies in this library; it can be used with BSD Sockets and Open Transport, among other protocols. To use this library, you must provide callback functions to perform the actual I/O on underlying network connections. You are also responsible for setting up raw network connections; you pass in an opaque reference to the underlying (connected) entity at the start of an SSL session in the form of an SSLConnectionRef object.
The following terms are used in this document:
A client is the initiator of an SSL session. The canonical example of a client is a web browser communicating with an HTTPS URL.
A server is an entity that accepts requests for SSL sessions made by clients. An example is a secure web server.
An SSL session is bounded by calls to the functions
SSLHandshakeandSSLClose. An active session is in some state between these two calls, inclusive.An SSL session context, or
SSLContextRef, is an opaque reference to the state associated with one session. A session context cannot be reused for multiple sessions.
Most applications need only a few of the functions in this API, which are normally called in the following sequence:
Preparing for a session
Call
SSLNewContext(in OS X) orSSLCreateContext(in iOS and OS X) to create a new SSL session context.Write the
SSLWriteandSSLReadI/O functions and callSSLSetIOFuncsto pass them to Secure Transport.Establish a connection using CFNetwork, BSD Sockets, or Open Transport. Then call
SSLSetConnectionto specify the connection to which the SSL session context applies.Call
SSLSetPeerDomainNameto specify the fully-qualified domain name of the peer to which you want to connect (optional but highly recommended).Call
SSLSetCertificateto specify the certificate to be used in authentication (required for server side, optional for client).
Starting a session
Call
SSLHandshaketo perform the SSL handshake and establish a secure session.
Maintaining the session
Ending a session
Call
SSLCloseto close the secure session.Close the connection and dispose of the connection reference (
SSLConnectionRef).If you created the context by calling
SSLNewContext, callSSLDisposeContextto dispose of the SSL session context.If you created the context by calling
SSLCreateContext, release the SSL session context by callingCFRelease.If you have called
SSLGetPeerCertificatesto obtain any certificates, callCFReleaseto release the certificate reference objects.
In many cases, it is easier to use the CFNetwork API than Secure Transport to implement a simple connection to a secure (HTTPS) URL. See CFNetwork Programming Guide for documentation of the CFNetwork API and the CFNetworkHTTPDownload sample code for an example of code that downloads data from a URL. If you specify an HTTPS URL, this routine automatically uses Secure Transport to encrypt the data stream.
For functions to manage and evaluate certificates, see Certificate, Key, and Trust Services Reference and Certificate, Key, and Trust Services Programming Guide.
-
SSLNewContext(OS X v10.9)Creates a new SSL session context.
Declaration
Objective-C
OSStatus SSLNewContext ( Boolean isServer, SSLContextRef _Nullable *contextPtr );Parameters
isServerSet
trueif the calling process is a server.contextPtrOn return, points to a new SSL session context reference.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
The SSL session context is an opaque data structure that identifies a session and stores session information. You must pass this object to every other function in the Secure Transport API.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLDisposeContext(OS X v10.9)Disposes of an SSL session context.
Declaration
Objective-C
OSStatus SSLDisposeContext ( SSLContextRef context );Parameters
contextA reference to the SSL session context to dispose.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
When you are completely finished with a secure session, you should dispose of the SSL session context in order to release the memory associated with the session.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
Specifies an I/O connection for a specific session.
Declaration
Swift
func SSLSetConnection(_context: SSLContext, _connection: SSLConnectionRef) -> OSStatusObjective-C
OSStatus SSLSetConnection ( SSLContextRef context, SSLConnectionRef connection );Parameters
contextAn SSL session context reference.
connectionAn SSL session connection reference. The connection data is opaque to Secure Transport; you can set it to any value that your application can use to uniquely identify the connection in the callback functions
SSLReadFuncandSSLWriteFunc.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You must establish a connection before creating a secure session. After calling the
SSLNewContextfunction to create an SSL session context, you call theSSLSetConnectionfunction to specify the connection to which the context applies. You specify a value in theconnectionparameter that your callback routines can use to identify the connection. This value might be a pointer to a socket (if you are using the Sockets API) or an endpoint (if you are using Open Transport). For example, you might create a socket, start a connection on it, create a context reference, cast the socket to anSSLConnectionRef, and then pass both the context reference and connection reference to theSSLSetConnectionfunction.Note that the Sockets API is the preferred networking interface for new development.
On the client side, it’s assumed that communication has been established with the desired server on this connection. On the server side, it’s assumed that a connection has been established in response to an incoming client request .
This function must be called prior to the
SSLHandshakefunction; consequently, this function can be called only when no session is active.Availability
Available in OS X v10.2 and later.
-
Retrieves an I/O connection—such as a socket or endpoint—for a specific session.
Declaration
Swift
func SSLGetConnection(_context: SSLContext, _connection: UnsafeMutablePointer<SSLConnectionRef>) -> OSStatusObjective-C
OSStatus SSLGetConnection ( SSLContextRef context, SSLConnectionRef _Nullable *connection );Parameters
contextAn SSL session context reference.
connectionOn return, a pointer to a session connection reference. If no connection has been set using the
SSLSetConnectionfunction, then this parameter isNULLon return.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use this function on either the client or server to retrieve the connection associated with a secure session.
Availability
Available in OS X v10.2 and later.
-
Specifies an option for a specific session.
Declaration
Swift
func SSLSetSessionOption(_context: SSLContext, _option: SSLSessionOption, _value: Bool) -> OSStatusObjective-C
OSStatus SSLSetSessionOption ( SSLContextRef context, SSLSessionOption option, Boolean value );Parameters
contextAn SSL session context reference.
optionAn SSL session option. Possible values are listed in SSL Session Options.
valueSet to
trueto enable the option, orfalseto disable it.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function must be called prior to the
SSLHandshakefunction; consequently, this function can be called only when no session is active.Availability
Available in OS X v10.6 and later.
See Also
-
Indicates the current setting of an SSL session option.
Declaration
Swift
func SSLGetSessionOption(_context: SSLContext, _option: SSLSessionOption, _value: UnsafeMutablePointer<DarwinBoolean>) -> OSStatusObjective-C
OSStatus SSLGetSessionOption ( SSLContextRef context, SSLSessionOption option, Boolean *value );Parameters
contextAn SSL session context reference.
optionAn SSL session option. Possible values are listed in SSL Session Options.
valueOn return,
trueif the option is enabled, orfalseotherwise.Return Value
A result code. See Secure Transport Result Codes.
Availability
Available in OS X v10.6 and later.
See Also
-
Specifies callback functions that perform the network I/O operations.
Declaration
Swift
func SSLSetIOFuncs(_context: SSLContext, _readFunc: SSLReadFunc, _writeFunc: SSLWriteFunc) -> OSStatusObjective-C
OSStatus SSLSetIOFuncs ( SSLContextRef context, SSLReadFunc readFunc, SSLWriteFunc writeFunc );Parameters
contextAn SSL session context reference.
readA pointer to your read callback function. See
SSLReadFuncfor information on defining this function.writeA pointer to your write callback function. See
SSLWriteFuncfor information on defining this function.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Secure Transport calls your read and write callback functions to perform network I/O. You must define these functions before calling
SSLSetIOFuncs.You must call
SSLSetIOFuncsprior to calling theSSLHandshakefunction.SSLSetIOFuncscannot be called while a session is active.Availability
Available in OS X v10.2 and later.
-
SSLSetProtocolVersionEnabled(OS X v10.9)Sets the allowed SSL protocol versions.
Declaration
Objective-C
OSStatus SSLSetProtocolVersionEnabled ( SSLContextRef context, SSLProtocol protocol, Boolean enable );Parameters
contextAn SSL session context reference.
protocolThe SSL protocol version to enable. Pass
kSSLProtocolAllto enable all protocols.enableA Boolean value indicating whether to enable or disable the specified protocol. Specify
trueto enable the protocol.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Calling this function is optional. The default is that all supported protocols are enabled. When you call this function, only the specified protocol is affected. Therefore, if you call it once to disable SSL version 2 (for example), the other protocols all remain enabled. You may call this function as many times as you wish to enable and disable specific protocols. You can specify one of the following values for the
protocolparameter:kSSLProtocol2kSSLProtocol3kTLSProtocol1kSSLProtocolAll
This function cannot be called when a session is active.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetProtocolVersionEnabled(OS X v10.9)Retrieves the enabled status of a given protocol.
Declaration
Objective-C
OSStatus SSLGetProtocolVersionEnabled ( SSLContextRef context, SSLProtocol protocol, Boolean *enable );Parameters
contextAn SSL session context reference.
protocolA value of type
SSLProtocolrepresenting an SSL protocol version.enableOn return, points to a Boolean value indicating whether the specified protocol version is enabled. If this value is
true, the protocol is enabled.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can specify any one of the following values for the
protocolparameter:kSSLProtocol2kSSLProtocol3kTLSProtocol1kSSLProtocolAllSpecify this value to determine whether all protocols are enabled.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
Specifies the requirements for client-side authentication.
Declaration
Swift
func SSLSetClientSideAuthenticate(_context: SSLContext, _auth: SSLAuthenticate) -> OSStatusObjective-C
OSStatus SSLSetClientSideAuthenticate ( SSLContextRef context, SSLAuthenticate auth );Parameters
contextAn SSL session context reference.
authA flag setting the requirements for client-side authentication. See SSL Authentication Constants for possible values.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function can be called only by servers. Use of this function is optional. The default authentication requirement is
kNeverAuthenticate. This function may be called only when no session is active.Availability
Available in OS X v10.2 and later.
-
SSLSetRsaBlinding(OS X v10.9)Enables or disables RSA blinding.
Declaration
Objective-C
OSStatus SSLSetRsaBlinding ( SSLContextRef context, Boolean blinding );Parameters
contextAn SSL session context reference.
blindingA Boolean value indicating whether to enable RSA blinding. Pass
trueto enable RSA blinding.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function is used only on the server side of a connection.
This feature thwarts a known attack to which RSA keys are vulnerable: It is possible to guess the RSA key by timing how long it takes the server to calculate the response to certain queries. RSA blinding adds a random calculation to each query response, thus making the attack impossible. Enabling RSA blinding is a trade-off between performance and security.
RSA blinding is enabled by default. Use the
SSLGetRsaBlindingfunction to determine the current setting.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetRsaBlinding(OS X v10.9)Obtains a value indicating whether RSA blinding is enabled.
Declaration
Objective-C
OSStatus SSLGetRsaBlinding ( SSLContextRef context, Boolean *blinding );Parameters
contextAn SSL session context reference.
blindingOn return, a pointer to a Boolean value indicating whether RSA blinding is enabled.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function is used only on the server side of a connection.
Call the
SSLSetRsaBlindingfunction to enable or disable RSA blinding.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
Performs the SSL handshake.
Declaration
Swift
func SSLHandshake(_context: SSLContext) -> OSStatusObjective-C
OSStatus SSLHandshake ( SSLContextRef context );Parameters
contextAn SSL session context reference.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
On successful return, the session is ready for normal secure communication using the functions
SSLReadandSSLWrite.If it finds any problems with the peer’s certificate chain, Secure Transport aborts the handshake. You can use the
SSLCopyPeerCertificatesfunction to see the peer’s certificate chain. This function can return a wide variety of result codes, including the following:errSSLUnknownRootCert—The peer has a valid certificate chain, but the root of the chain is not a known anchor certificate.errSSLNoRootCert—The peer’s certificate chain was not verifiable to a root certificate.errSSLCertExpired—The peer’s certificate chain has one or more expired certificates.errSSLXCertChainInvalid—The peer has an invalid certificate chain; for example, signature verification within the chain failed, or no certificates were found.errSSLClientCertRequested—The server has requested a client certificate. This result is returned only if you called theSSLSetSessionOptionfunction to set thekSSLSessionOptionBreakOnCertRequestedoption. After receiving this result, you must call theSSLSetCertificatefunction to return the client certificate, and then callSSLHandshakeagain to resume the handshake. Use theSSLCopyDistinguishedNamesfunction to obtain a list of certificates acceptable to the server.errSSLServerAuthCompleted—The server authentication portion of the handshake is complete. This result is returned only if you called theSSLSetSessionOptionfunction to set thekSSLSessionOptionBreakOnServerAuthoption, and provides an opportunity to perform application-specific server verification before callingSSLHandshakeagain to continue.Note that in OS X prior to version 10.8, you must also explicitly call
SSLSetEnableCertVerifyto disable verification.
A return value of
errSSLWouldBlockindicates that theSSLHandshakefunction must be called again until a different result code is returned.Availability
Available in OS X v10.2 and later.
-
Retrieves the state of an SSL session.
Declaration
Swift
func SSLGetSessionState(_context: SSLContext, _state: UnsafeMutablePointer<SSLSessionState>) -> OSStatusObjective-C
OSStatus SSLGetSessionState ( SSLContextRef context, SSLSessionState *state );Parameters
contextAn SSL session context reference.
stateOn return, points to a constant that indicates the state of the SSL session. See SSL Session State Constants for possible values.
Return Value
A result code. See Secure Transport Result Codes.
Availability
Available in OS X v10.2 and later.
-
Obtains the negotiated protocol version of the active session.
Declaration
Swift
func SSLGetNegotiatedProtocolVersion(_context: SSLContext, _protocol: UnsafeMutablePointer<SSLProtocol>) -> OSStatusObjective-C
OSStatus SSLGetNegotiatedProtocolVersion ( SSLContextRef context, SSLProtocol *protocol );Parameters
contextAn SSL session context reference.
protocolOn return, points to the negotiated protocol version of the active session.
Return Value
A result code. See Secure Transport Result Codes. This function returns
kSSLProtocolUnknownif no SSL session is in progress.Discussion
This function retrieves the version of SSL or TLS protocol negotiated for the session. Note that the negotiated protocol may not be the same as your preferred protocol, depending on which protocol versions you enabled with the
SSLSetProtocolVersionEnabledfunction. This function can return any of the following values:kSSLProtocol2kSSLProtocol3kTLSProtocol1kSSLProtocolUnknown
Availability
Available in OS X v10.2 and later.
-
Specifies data that is sufficient to uniquely identify the peer of the current session.
Declaration
Swift
func SSLSetPeerID(_context: SSLContext, _peerID: UnsafePointer<Void>, _peerIDLen: Int) -> OSStatusObjective-C
OSStatus SSLSetPeerID ( SSLContextRef context, const void *peerID, size_t peerIDLen );Parameters
contextAn SSL session context reference.
peerIDA pointer to a buffer containing the peer ID data to set.
peerIDLenThe length of the peer ID data buffer.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
Secure Transport uses the peer ID to match the peer of an SSL session with the peer of a previous session in order to resume an interrupted session. If the peer IDs match, Secure Transport attempts to resume the session with the same parameters as used in the previous session with the same peer.
The data you provide to this function is treated as an opaque blob by Secure Transport but is compared byte for byte with previous peer ID data values set by the current application. An example of peer ID data is an IP address and port, stored in some caller-private manner. Calling this function is optional but is required if you want the session to be resumable. If you do call this function, you must call it prior to the handshake for the current session.
You can use the
SSLGetPeerIDfunction to retrieve the peer ID data for the current session.Availability
Available in OS X v10.2 and later.
-
Retrieves the current peer ID data.
Declaration
Swift
func SSLGetPeerID(_context: SSLContext, _peerID: UnsafeMutablePointer<UnsafePointer<Void>>, _peerIDLen: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetPeerID ( SSLContextRef context, const void * _Nullable *peerID, size_t *peerIDLen );Parameters
contextAn SSL session context reference.
peerIDOn return, points to a buffer containing the peer ID data.
peerIDLenOn return, the length of the peer ID data buffer.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
If the peer ID data for this context was not set by calling the
SSLSetPeerIDfunction, this function returns aNULLpointer in thepeerIDparameter, and0in thepeerIDLenparameter.Availability
Available in OS X v10.2 and later.
-
Determines how much data is available to be read.
Declaration
Swift
func SSLGetBufferedReadSize(_context: SSLContext, _bufSize: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetBufferedReadSize ( SSLContextRef context, size_t *bufSize );Parameters
contextAn SSL session context reference.
bufSizeOn return, the size of the data to be read.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function determines how much data you can be guaranteed to obtain in a call to the
SSLReadfunction. This function does not block or cause any low-level read operations to occur.Availability
Available in OS X v10.2 and later.
-
Performs a normal application-level read operation.
Declaration
Swift
func SSLRead(_context: SSLContext, _data: UnsafeMutablePointer<Void>, _dataLength: Int, _processed: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLRead ( SSLContextRef context, void *data, size_t dataLength, size_t *processed );Parameters
contextAn SSL session context reference.
dataOn return, points to the data read. You must allocate this buffer before calling the function. The size of this buffer must be equal to or greater than the value in the
dataLengthparameter.dataLengthThe amount of data you would like to read.
processedOn return, points to the number of bytes actually read.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
The
SSLReadfunction might call theSSLReadFuncfunction that you provide (seeSSLSetIOFuncs. Because you may configure the underlying connection to operate in a nonblocking manner, a read operation might returnerrSSLWouldBlock, indicating that less data than requested was actually transferred. In this case, you should repeat the call toSSLReaduntil some other result is returned.Availability
Available in OS X v10.2 and later.
-
Performs a normal application-level write operation.
Declaration
Swift
func SSLWrite(_context: SSLContext, _data: UnsafePointer<Void>, _dataLength: Int, _processed: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLWrite ( SSLContextRef context, const void *data, size_t dataLength, size_t *processed );Parameters
contextAn SSL session context reference.
dataA pointer to the buffer of data to write.
dataLengthThe amount, in bytes, of data to write.
processedOn return, the length, in bytes, of the data actually written.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
The
SSLWritefunction might call theSSLWriteFuncfunction that you provide (seeSSLSetIOFuncs). Because you may configure the underlying connection to operate in a no-blocking manner, a write operation might returnerrSSLWouldBlock, indicating that less data than requested was actually transferred. In this case, you should repeat the call toSSLWriteuntil some other result is returned.Availability
Available in OS X v10.2 and later.
-
Terminates the current SSL session.
Declaration
Swift
func SSLClose(_context: SSLContext) -> OSStatusObjective-C
OSStatus SSLClose ( SSLContextRef context );Parameters
contextThe SSL session context reference of the session you want to terminate.
Return Value
A result code. See Secure Transport Result Codes.
Availability
Available in OS X v10.2 and later.
-
Determines the number of cipher suites supported.
Declaration
Swift
func SSLGetNumberSupportedCiphers(_context: SSLContext, _numCiphers: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetNumberSupportedCiphers ( SSLContextRef context, size_t *numCiphers );Parameters
contextAn SSL session context reference.
numCiphersOn return, points to the number of supported cipher suites.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
You use the number of enabled cipher suites returned by this function when you call the
SSLGetNumberSupportedCiphersfunction to retrieve the list of currently enabled cipher suites.Availability
Available in OS X v10.2 and later.
-
Determines the values of the supported cipher suites.
Declaration
Swift
func SSLGetSupportedCiphers(_context: SSLContext, _ciphers: UnsafeMutablePointer<SSLCipherSuite>, _numCiphers: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetSupportedCiphers ( SSLContextRef context, SSLCipherSuite *ciphers, size_t *numCiphers );Parameters
contextAn SSL session context reference.
ciphersOn return, points to the values of the supported cipher suites. Before calling, you must allocate this buffer using the number of supported cipher suites retrieved from a call to the
SSLGetNumberSupportedCiphersfunction.numCiphersPoints to the number of supported cipher suites that you want returned. Before calling, retrieve this value by calling the
SSLGetNumberSupportedCiphersfunction.Return Value
A result code. See Secure Transport Result Codes. If the supplied buffer is too small,
errSSLBufferOverflowis returned.Discussion
All the supported cipher suites are enabled by default. Use the
SSLSetEnabledCiphersfunction to enable a subset of the supported cipher suites. Use theSSLGetEnabledCiphersfunction to determine which cipher suites are currently enabled.Availability
Available in OS X v10.2 and later.
-
Specifies a restricted set of SSL cipher suites to be enabled by the current SSL session context.
Declaration
Swift
func SSLSetEnabledCiphers(_context: SSLContext, _ciphers: UnsafePointer<SSLCipherSuite>, _numCiphers: Int) -> OSStatusObjective-C
OSStatus SSLSetEnabledCiphers ( SSLContextRef context, const SSLCipherSuite *ciphers, size_t numCiphers );Parameters
contextAn SSL session context reference.
ciphersA pointer to the cipher suites to enable.
numCiphersThe number of cipher suites to enable.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can call this function, for example, to limit cipher suites to those that use exportable key sizes or to those supported by a particular protocol version.
This function can be called only when no session is active. The default set of enabled cipher suites is the complete set of supported cipher suites obtained by calling the
SSLGetSupportedCiphersfunction.Call the
SSLGetEnabledCiphersfunction to determine which SSL cipher suites are currently enabled.Availability
Available in OS X v10.2 and later.
-
Determines the number of cipher suites currently enabled.
Declaration
Swift
func SSLGetNumberEnabledCiphers(_context: SSLContext, _numCiphers: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetNumberEnabledCiphers ( SSLContextRef context, size_t *numCiphers );Parameters
contextAn SSL session context reference.
numCiphersOn return, points to the number of enabled cipher suites.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
You use the number of enabled cipher suites returned by this function when you call the
SSLGetEnabledCiphersfunction to retrieve the list of currently enabled cipher suites.Availability
Available in OS X v10.2 and later.
-
Determines which SSL cipher suites are currently enabled.
Declaration
Swift
func SSLGetEnabledCiphers(_context: SSLContext, _ciphers: UnsafeMutablePointer<SSLCipherSuite>, _numCiphers: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetEnabledCiphers ( SSLContextRef context, SSLCipherSuite *ciphers, size_t *numCiphers );Parameters
contextAn SSL session context reference.
ciphersOn return, points to the enabled cipher suites. Before calling, you must allocate this buffer using the number of enabled cipher suites retrieved from a call to the
SSLGetNumberEnabledCiphersfunction.numCiphersPointer to the number of enabled cipher suites. Before calling, retrieve this value by calling the
SSLGetNumberEnabledCiphersfunction.Return Value
A result code. See Secure Transport Result Codes. If the supplied buffer is too small,
errSSLBufferOverflowis returned.Discussion
Call the
SSLSetEnabledCiphersfunction to specify which SSL cipher suites are enabled.Availability
Available in OS X v10.2 and later.
-
Retrieves the cipher suite negotiated for this session.
Declaration
Swift
func SSLGetNegotiatedCipher(_context: SSLContext, _cipherSuite: UnsafeMutablePointer<SSLCipherSuite>) -> OSStatusObjective-C
OSStatus SSLGetNegotiatedCipher ( SSLContextRef context, SSLCipherSuite *cipherSuite );Parameters
contextAn SSL session context reference.
cipherSuiteOn return, points to the cipher suite that was negotiated for this session.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
You should call this function only when a session is active.
Availability
Available in OS X v10.2 and later.
-
Specifies Diffie-Hellman parameters.
Declaration
Swift
func SSLSetDiffieHellmanParams(_context: SSLContext, _dhParams: UnsafePointer<Void>, _dhParamsLen: Int) -> OSStatusObjective-C
OSStatus SSLSetDiffieHellmanParams ( SSLContextRef context, const void *dhParams, size_t dhParamsLen );Parameters
contextAn SSL session context reference.
dhParamsA pointer to a buffer containing the Diffie-Hellman parameters in Open SSL DER format.
dhParamsLenA value representing the size of the buffer pointed to by the
dhParamsparameter.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use this function to specify a set of Diffie-Hellman parameters to be used by Secure Transport for a specific session. Use of this function is optional. If Diffie-Hellman ciphers are allowed, the server and client negotiate a Diffie-Hellman cipher, and this function has not been called, then Secure Transport calculates a set of process wide parameters. However, that process can take as long as 30 seconds. Diffie-Hellman ciphers are enabled by default; see
SSLSetEnabledCiphers.In SSL/TLS, Diffie-Hellman parameters are always specified by the server. Therefore, this function can be called only by the server side of the connection.
You can use the
SSLGetDiffieHellmanParamsfunction to retrieve Diffie-Hellman parameters specified in an earlier call toSSLSetDiffieHellmanParams.Availability
Available in OS X v10.2 and later.
-
Retrieves the Diffie-Hellman parameters specified earlier.
Declaration
Swift
func SSLGetDiffieHellmanParams(_context: SSLContext, _dhParams: UnsafeMutablePointer<UnsafePointer<Void>>, _dhParamsLen: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetDiffieHellmanParams ( SSLContextRef context, const void * _Nullable *dhParams, size_t *dhParamsLen );Parameters
contextAn SSL session context reference.
dhParamsOn return, points to a buffer containing the Diffie-Hellman parameter block in Open SSL DER format.The returned data is not copied and belongs to the SSL session context reference; therefore, you cannot modify the data and it is released automatically when you dispose of the context.
dhParamsLenOn return, points to the length of the buffer pointed to by the
dhParamsparameter.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function returns the parameter block specified in an earlier call to the function
SSLSetDiffieHellmanParams. IfSSLSetDiffieHellmanParamswas never called, thedhParamsparameter returnsNULLand thedhParamsLenparameter returns0.Availability
Available in OS X v10.2 and later.
-
SSLSetAllowsAnyRoot(OS X v10.9)Specifies whether root certificates from unrecognized certification authorities are allowed.
Declaration
Objective-C
OSStatus SSLSetAllowsAnyRoot ( SSLContextRef context, Boolean anyRoot );Parameters
contextAn SSL session context reference.
anyRootA Boolean flag specifying whether root certificates from unrecognized certification authorities (CAs) are allowed. The default for this flag is
false, specifying that roots from unrecognized CAs are not allowed.Return Value
A result code. See Secure Transport Result Codes.
Discussion
The system maintains a set of root certificates signed by known, trusted root CAs. When the
anyRootflag istrue, Secure Transport does not return an error if one of the following two conditions occurs:The peer returns a certificate chain with a root certificate, and the chain verifies to that root, but the CA for the root certificate is not one of the known, trusted root CAs. This results in an
errSSLUnknownRootCertresult code when theanyRootflag isfalse.The peer returns a certificate chain that does not contain a root certificate, and the server can’t verify the chain to one of the trusted root certificates. This results in an
errSSLNoRootCertresult code when theanyRootflag isfalse.
Both of these error conditions are ignored when the
anyRootflag istrue, allowing connection to a peer for which trust could not be established.If you use this function to allow an untrusted root to be used for validation of a certificate—for example, after prompting the user for permission to do so—remember to set the
anyRootBoolean value back tofalse. If you don’t, any random root certificate can be used for signing a certificate chain. To add a certificate to the list of trusted roots, use theSecTrustSetAnchorCertificatesfunction.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetAllowsAnyRoot(OS X v10.9)Obtains a value specifying whether an unknown root is allowed.
Declaration
Objective-C
OSStatus SSLGetAllowsAnyRoot ( SSLContextRef context, Boolean *anyRoot );Parameters
contextAn SSL session context reference.
anyRootOn return, a Boolean indicating the current setting of the
anyRootflag.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Use the
SSLSetAllowsAnyRootfunction to set the value of theanyRootflag. The effect and meaning of this flag is described in the discussion of theSSLSetAllowsAnyRootfunction.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLSetAllowsExpiredRoots(OS X v10.9)Specifies whether expired root certificates are allowed.
Declaration
Objective-C
OSStatus SSLSetAllowsExpiredRoots ( SSLContextRef context, Boolean allowsExpired );Parameters
contextAn SSL session context reference.
allowsExpiredA Boolean value indicating whether to allow expired root certificates. Pass
trueto allow expired roots.Return Value
A result code. See Secure Transport Result Codes.
Discussion
The default value for the
allowsExpiredflag isfalse. When this flag isfalse, Secure Transport returns anerrSSLCertExpiredresult code during handshake if the root certificate is expired.You can use the
SSLGetAllowsExpiredRootsfunction to determine the current setting of theallowsExpiredflag.Use the
SSLSetAllowsExpiredCertsfunction to set a value that determines whether expired non-root certificates are allowed.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetAllowsExpiredRoots(OS X v10.9)Retrieves the value indicating whether expired roots are allowed.
Declaration
Objective-C
OSStatus SSLGetAllowsExpiredRoots ( SSLContextRef context, Boolean *allowsExpired );Parameters
contextAn SSL session context reference.
allowsExpiredOn return, points to a Boolean value indicating whether expired roots are allowed. If this value is
true, no errors are returned if the certificate chain ends in an expired root.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Use the
SSLSetAllowsExpiredRootsfunction to change the setting of theallowsExpiredflag.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLSetTrustedRoots(OS X v10.9)Augments or replaces the default set of trusted root certificates for this session.
Declaration
Objective-C
OSStatus SSLSetTrustedRoots ( SSLContextRef context, CFArrayRef trustedRoots, Boolean replaceExisting );Parameters
contextAn SSL session context reference.
trustedRootsA reference to an array of trusted root certificates of type
SecCertificateRef.replaceExistingA Boolean value indicating whether to replace or append the current trusted root certificate set. If this value is
true, the specified root certificates become the only roots that are trusted during this session. If this value isfalse, the specified root certificates are added to the current set of trusted root certificates.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Each successive call to this function with the
replaceExistingparameter set tofalseresults in accumulation of additional root certificates. To see the current set of trusted root certificates, call theSSLCopyTrustedRootsfunction.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetTrustedRootsAvailable in OS X v10.2 through OS X v10.7Retrieves the current list of trusted root certificates.
Deprecation Statement
Use
SSLCopyTrustedRootsinstead.Declaration
Objective-C
OSStatus SSLGetTrustedRoots ( SSLContextRef context, CFArrayRef *trustedRoots );Parameters
contextAn SSL session context reference.
trustedRootsOn return, a pointer to a value of type
CFArrayRef. This array contains values of typeSecCertificateRefrepresenting the current set of trusted roots. You must call theCFReleasefunction for this array and for eachSecCertificateRefvalue in the array when you are finished with them.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use the
SSLSetTrustedRootsfunction to replace or add to the set of trusted root certificates. IfSSLSetTrustedRootshas never been called for this session, theSSLGetTrustedRootsfunction returns the system’s default set of trusted root certificates.Special Considerations
Because this function requires separately releasing each certificate reference returned, it has been deprecated in favor of
SSLCopyTrustedRoots, which conforms to standard Core Foundation semantics.Availability
Available in OS X v10.2 through OS X v10.7.
Deprecated in OS X v10.5.
-
SSLCopyTrustedRoots(OS X v10.9)Retrieves the current list of trusted root certificates.
Declaration
Objective-C
OSStatus SSLCopyTrustedRoots ( SSLContextRef context, CFArrayRef _Nullable *trustedRoots );Parameters
contextAn SSL session context reference.
trustedRootsOn return, a pointer to a value of type
CFArrayRef. This array contains values of typeSecCertificateRefrepresenting the current set of trusted roots. You must call theCFReleasefunction to release this array when you are finished with it.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use the
SSLSetTrustedRootsfunction to replace or add to the set of trusted root certificates. IfSSLSetTrustedRootshas never been called for this session, theSSLCopyTrustedRootsfunction returns the system’s default set of trusted root certificates.Availability
Available in OS X v10.5 and later.
Deprecated in OS X v10.9.
-
Adds one or more certificates to a server's list of certification authorities (CAs) acceptable for client authentication.
Declaration
Swift
func SSLSetCertificateAuthorities(_context: SSLContext, _certificateOrArray: AnyObject, _replaceExisting: Bool) -> OSStatusObjective-C
OSStatus SSLSetCertificateAuthorities ( SSLContextRef context, CFTypeRef certificateOrArray, Boolean replaceExisting );Parameters
contextAn SSL session context reference.
certificateOrArrayA value of type
SecCertificateRef, or a value of typeCFArraycontaining an array ofSecCertificateRefvalues, representing one or more certificates to be added to the server’s list of acceptable certification authorities (CAs).replaceExistingA Boolean value specifying whether to replace or append the current set of certification authorities. If this value is
true, the specified certificates replace the existing list of acceptable CAs, if any. Iffalse, the specified certificates are appended to the existing list of.Return Value
A result code. See Secure Transport Result Codes. Returns
paramErrif this function is called for a session that is configured as a client, or when a session is active.Discussion
Each successive call to this function with the
replaceExistingparameter set tofalseresults in accumulation of additional certification authorities. To see the current set of certification authorities, call theSSLCopyCertificateAuthoritiesfunction.Availability
Available in OS X v10.5 and later.
-
Retrieves the current list of certification authorities.
Declaration
Swift
func SSLCopyCertificateAuthorities(_context: SSLContext, _certificates: UnsafeMutablePointer<CFArray?>) -> OSStatusObjective-C
OSStatus SSLCopyCertificateAuthorities ( SSLContextRef context, CFArrayRef _Nullable *certificates );Parameters
contextAn SSL session context reference.
trustedRootsOn return, a pointer to a value of type
CFArrayRef. This array contains values of typeSecCertificateRefrepresenting the current set of certification authorities (specified with theSSLSetCertificateAuthoritiesfunction). Returns aNULLarray ifSSLSetCertificateAuthoritieshas not been called. You must call theCFReleasefunction to release this array when you are finished with it.Return Value
A result code. See Secure Transport Result Codes.
Availability
Available in OS X v10.5 and later.
-
Unsupported.
Declaration
Swift
func SSLAddDistinguishedName(_context: SSLContext, _derDN: UnsafePointer<Void>, _derDNLen: Int) -> OSStatusObjective-C
OSStatus SSLAddDistinguishedName ( SSLContextRef context, const void *derDN, size_t derDNLen );Parameters
contextAn SSL session context reference.
derDNA pointer to a buffer containing a DER-encoded distinguished name.
derDNLenA value of type
size_trepresenting the size of the buffer pointed to by the parameterderDN.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function has not been implemented and is unsupported at this time.
Availability
Unsupported.
-
Retrieves the distinguished names of acceptable certification authorities.
Declaration
Swift
func SSLCopyDistinguishedNames(_context: SSLContext, _names: UnsafeMutablePointer<CFArray?>) -> OSStatusObjective-C
OSStatus SSLCopyDistinguishedNames ( SSLContextRef context, CFArrayRef _Nullable *names );Parameters
contextAn SSL session context reference.
namesOn return, an array of
CFDataRefobjects, each representing one DER-encoded relative distinguished name of an acceptable certification authority. You must call theCFReleasefunction to release this array when you are finished with it.Return Value
A result code. See Secure Transport Result Codes.
Discussion
The list of distinguished names is provided by the server if the context reference represents a client; if the context reference represents a server, the list of distinguished names is specified with the
SSLSetCertificateAuthoritiesfunction.The array retrieved by this function is suitable for use in finding a client identity (that is, a certificate and associated private key) that matches a server's requirements.
Availability
Available in OS X v10.5 and later.
-
SSLSetAllowsExpiredCerts(OS X v10.9)Specifies whether certificate expiration times are ignored.
Declaration
Objective-C
OSStatus SSLSetAllowsExpiredCerts ( SSLContextRef context, Boolean allowsExpired );Parameters
contextAn SSL session context reference.
allowsExpiredA Boolean flag representing whether the certificate expiration times are ignored. The default for this flag is
false, meaning expired certificates result in anerrSSLCertExpiredresult code.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use this function to allow the handshake to succeed even if one or more certificates in the certificate chain have expired. You can use the
SSLGetAllowsExpiredCertsfunction to determine the current setting of theallowsExpiredflag.Use the
SSLSetAllowsExpiredRootsfunction to set a flag specifying whether expired root certificates are allowed.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetAllowsExpiredCerts(OS X v10.9)Retrieves the value specifying whether expired certificates are allowed.
Declaration
Objective-C
OSStatus SSLGetAllowsExpiredCerts ( SSLContextRef context, Boolean *allowsExpired );Parameters
contextAn SSL session context reference.
allowsExpiredOn return, this flag is set to the value of the Boolean flag that specifies whether expired certificates are ignored. If this value is
true, then Secure Transport does not return an error if any certificates in the certificate chain are expired.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can set the
allowsExpiredflag to allow the handshake to succeed even if one or more certificates in the certificate chain have expired. This function returns the current setting of this flag. Use theSSLSetAllowsExpiredCertsfunction to set the value of theallowsExpiredflag.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
Specifies this connection’s certificate or certificates.
Declaration
Swift
func SSLSetCertificate(_context: SSLContext, _certRefs: CFArray) -> OSStatusObjective-C
OSStatus SSLSetCertificate ( SSLContextRef context, CFArrayRef certRefs );Parameters
contextAn SSL session context reference.
certRefsThe certificates to set. This array contains items of type
SecCertificateRef, except forcertRefs[0], which is of typeSecIdentityRef.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Setting the certificate or certificates is mandatory for server connections, but is optional for clients. Specifying a certificate for a client enables SSL client-side authentication. You must place in
certRefs[0]aSecIdentityRefobject that identifies the leaf certificate and its corresponding private key. Specifying a root certificate is optional; if it’s not specified, the root certificate that verifies the certificate chain specified here must be present in the system wide set of trusted anchor certificates.This function must be called before calling
SSLHandshake, or immediately afterSSLHandshakehas returnederrSSLClientCertRequested(that is, before the handshake is resumed by callingSSLHandshakeagain).Secure Transport assumes the following:
The certificate references remain valid for the lifetime of the session.
The identity specified in
certRefs[0]is capable of signing.
The required capabilities of the identity specified in
certRefs[0]—and of the optional certificate specified in theSSLSetEncryptionCertificatefunction—are highly dependent on the application. For example, to work as a server with Netscape clients, the identity specified here must be capable of both signing and encrypting. Use theSSLCopyDistinguishedNamesfunction to get a list of certificates acceptable to the server.Availability
Available in OS X v10.2 and later.
-
Retrieves the exchange status of the client certificate.
Declaration
Swift
func SSLGetClientCertificateState(_context: SSLContext, _clientState: UnsafeMutablePointer<SSLClientCertificateState>) -> OSStatusObjective-C
OSStatus SSLGetClientCertificateState ( SSLContextRef context, SSLClientCertificateState *clientState );Parameters
contextAn SSL session context reference.
clientStateOn return, a pointer to a value indicating the state of the client certificate exchange. See
“SSL Client Certificate State Constants”for a list of possible values.Return Value
A result code. See Secure Transport Result Codes.
Discussion
The value returned reflects the latest change in the state of the client certificate exchange. If either peer initiates a renegotiation attempt, Secure Transport resets the state to
kSSLClientCertNone.Availability
Available in OS X v10.3 and later.
-
SSLSetEnableCertVerify(OS X v10.9)Enables or disables peer certificate chain validation.
Declaration
Objective-C
OSStatus SSLSetEnableCertVerify ( SSLContextRef context, Boolean enableVerify );Parameters
contextAn SSL session context reference.
enableVerifyA Boolean value specifying whether peer certificate chain validation is enabled. Certificate chain validation is enabled by default. Specify
falseto disable validation.Return Value
A result code. See Secure Transport Result Codes.
Discussion
By default, Secure Transport attempts to verify the certificate chain during an exchange of peer certificates. If you disable peer certificate chain validation, it is your responsibility to call
SSLCopyPeerCertificatesupon successful completion of the handshake and then to validate the peer certificate chain before transferring the data.You can use the
SSLGetEnableCertVerifyfunction to determine the current setting of theenableVerifyflag.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLGetEnableCertVerify(OS X v10.9)Determines whether peer certificate chain validation is currently enabled.
Declaration
Objective-C
OSStatus SSLGetEnableCertVerify ( SSLContextRef context, Boolean *enableVerify );Parameters
contextAn SSL session context reference.
enableVerifyOn return, a pointer to a Boolean value specifying whether peer certificate chain validation is enabled. If this value is
true, then Secure Transport automatically attempts to verify the certificate chain during exchange of peer certificates.Return Value
A result code. See Secure Transport Result Codes.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.9.
-
SSLSetEncryptionCertificate(_:_:) SSLSetEncryptionCertificate(OS X v10.11)Specifies the encryption certificates used for this connection.
Declaration
Swift
func SSLSetEncryptionCertificate(_context: SSLContext, _certRefs: CFArray) -> OSStatusObjective-C
OSStatus SSLSetEncryptionCertificate ( SSLContextRef context, CFArrayRef certRefs );Parameters
contextAn SSL session context reference.
certRefsA value of type
CFArrayRefreferring to an array of certificate references. The references are typeSecCertificateRef, except forcertRefs[0], which is of typeSecIdentityRef.Return Value
A result code. See Secure Transport Result Codes.
Discussion
Use this function in one of the following cases:
The leaf certificate specified in the
SSLSetCertificatefunction is not capable of encryption.The leaf certificate specified in the
SSLSetCertificatefunction contains a key that is too large or strong for legal encryption in this session. In this case, a weaker certificate is specified here and is used for server-initiated key exchange.
The following assumptions are made:
The
certRefsparameter’s references remain valid for the lifetime of the connection.The specified
certRefs[0]value is capable of encryption.
This function can be called only when no session is active.
SSL servers that enforce the SSL3 or TLS1 specification to the letter do not accept encryption certificates with key sizes larger than 512 bits for exportable ciphers (that is, for SSL sessions with 40-bit session keys). Therefore, if you wish to support exportable ciphers and your certificate has a key larger than 512 bits, you must specify a separate encryption certificate.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.11.
-
SSLGetPeerCertificatesAvailable in OS X v10.2 through OS X v10.7Retrieves a peer certificate.
Deprecation Statement
Use
SSLCopyPeerCertificatesinstead.Declaration
Objective-C
OSStatus SSLGetPeerCertificates ( SSLContextRef context, CFArrayRef *certs );Parameters
contextAn SSL session context reference.
certsOn return, a pointer to an array of values of type
SecCertificateRefrepresenting the peer certificate and the certificate chain used to validate it. The certificate at index 0 of the returned array is the peer certificate (the subject of the function call—the end certificate in the chain); the root certificate (or the closest certificate to it) is at the end of the returned array. The entire array is created by the Secure Transport library; you must call theCFReleasefunction for this array and for eachSecCertificateRefvalue in the array when you are finished with them.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function is valid any time after a handshake attempt. You can use it to examine a peer certificate, to examine a certificate chain to determine why a handshake attempt failed, or to retrieve the certificate chain in order to validate the certificate yourself. (To disable validation so that you can validate the certificate yourself, use the
SSLSetSessionOptionfunction to set the session’skSSLSessionOptionBreakOnServerAuthflag.)Special Considerations
Because this function requires separately releasing each certificate reference returned, it has been deprecated in favor of
SSLCopyPeerCertificates, which conforms to standard Core Foundation semantics.Availability
Available in OS X v10.2 through OS X v10.7.
Deprecated in OS X v10.5.
-
SSLCopyPeerCertificates(OS X v10.9)Retrieves a peer certificate and its certificate chain.
Declaration
Objective-C
OSStatus SSLCopyPeerCertificates ( SSLContextRef context, CFArrayRef _Nullable *certs );Parameters
contextAn SSL session context reference.
certsOn return, a pointer to an array of values of type
SecCertificateRefrepresenting the peer certificate and the certificate chain used to validate it. The certificate at index 0 of the returned array is the peer certificate (the subject of the function call—the end certificate in the chain); the root certificate (or the closest certificate to it) is at the end of the returned array. The entire array is created by the Secure Transport library; you must call theCFReleasefunction for this array when you are finished with it.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function is valid any time after a handshake attempt. You can use it to examine a peer certificate, to examine a certificate chain to determine why a handshake attempt failed, or to retrieve the certificate chain in order to validate the certificate yourself. (To disable validation so that you can validate the certificate yourself, use the
SSLSetSessionOptionfunction to set the session’skSSLSessionOptionBreakOnServerAuthflag.)Availability
Available in OS X v10.5 and later.
Deprecated in OS X v10.9.
-
Retrieves a trust management object for the certificate used by a session.
Declaration
Swift
func SSLCopyPeerTrust(_context: SSLContext, _trust: UnsafeMutablePointer<SecTrust?>) -> OSStatusObjective-C
OSStatus SSLCopyPeerTrust ( SSLContextRef context, SecTrustRef _Nullable *trust );Parameters
contextAn SSL session context reference.
trustOn return, a trust management object you can use to evaluate trust for the certificate used by the session. A trust management object includes the certificate to be verified plus the policy or policies to be used in evaluating trust. See Certificate, Key, and Trust Services Reference for functions to create and evaluate trust management objects. You must call the
CFReleasefunction for this object when you are finished with it.Return Value
A result code. See Secure Transport Result Codes.
Discussion
This function is valid any time after a handshake attempt.
Availability
Available in OS X v10.6 and later.
-
Specifies the fully qualified domain name of the peer.
Declaration
Swift
func SSLSetPeerDomainName(_context: SSLContext, _peerName: UnsafePointer<Int8>, _peerNameLen: Int) -> OSStatusObjective-C
OSStatus SSLSetPeerDomainName ( SSLContextRef context, const char *peerName, size_t peerNameLen );Parameters
contextAn SSL session context reference.
peerNameThe fully qualified domain name of the peer—for example,
store.apple.com. The name is in the form of a C string, except thatNULLtermination is optional.peerNameLenThe number of bytes passed in the
peerNameparameter.Return Value
A result code. See Secure Transport Result Codes.
Discussion
You can use this function to verify the common name field in the peer’s certificate. If you call this function and the common name in the certificate does not match the value you specify in the
peerNameparameter, then handshake fails and returnserrSSLXCertChainInvalid. Use of this function is optional.This function can be called only when no session is active.
Availability
Available in OS X v10.2 and later.
-
Determines the length of a previously set peer domain name.
Declaration
Swift
func SSLGetPeerDomainNameLength(_context: SSLContext, _peerNameLen: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetPeerDomainNameLength ( SSLContextRef context, size_t *peerNameLen );Parameters
contextAn SSL session context reference.
peerNameLenOn return, points to the length of the peer domain name.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
If you previously called the
SSLSetPeerDomainNamefunction to specify a fully qualified domain name for the peer certificate, you can use theSSLGetPeerDomainNamefunction to retrieve the peer domain name. Before doing so, you must call theSSLGetPeerDomainNameLengthfunction to retrieve the buffer size needed for the domain name.Availability
Available in OS X v10.2 and later.
-
Retrieves the peer domain name specified previously.
Declaration
Swift
func SSLGetPeerDomainName(_context: SSLContext, _peerName: UnsafeMutablePointer<Int8>, _peerNameLen: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetPeerDomainName ( SSLContextRef context, char *peerName, size_t *peerNameLen );Parameters
contextAn SSL session context reference.
peerNameOn return, points to the peer domain name.
peerNameLenA pointer to the length of the peer domain name. Before calling this function, retrieve the peer domain name length by calling the function
SSLGetPeerDomainNameLength.Return Value
A result code. See Secure Transport Result Codes.
Discussion
If you previously called the
SSLSetPeerDomainNamefunction to specify a fully qualified domain name for the peer certificate, you can use theSSLGetPeerDomainNamefunction to retrieve the domain name.Availability
Available in OS X v10.2 and later.
-
SSLSetProtocolVersion(OS X v10.8)Sets the SSL protocol version. This function is deprecated.
Declaration
Objective-C
OSStatus SSLSetProtocolVersion ( SSLContextRef context, SSLProtocol version );Parameters
contextAn SSL session context reference.
versionThe SSL protocol version to negotiate.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
Use the
SSLSetProtocolVersionEnabledfunction instead.This function cannot be called when a session is active.
Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.8.
-
SSLGetProtocolVersion(OS X v10.8)Gets the SSL protocol version. This function is deprecated.
Declaration
Objective-C
OSStatus SSLGetProtocolVersion ( SSLContextRef context, SSLProtocol *protocol );Parameters
contextAn SSL session context reference.
protocolOn return, a pointer to the SSL protocol version.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
Use the
SSLGetProtocolVersionEnabledfunction instead.Availability
Available in OS X v10.2 and later.
Deprecated in OS X v10.8.
-
Allocates and returns a new
SSLContextRefobject.Declaration
Swift
func SSLCreateContext(_alloc: CFAllocator?, _protocolSide: SSLProtocolSide, _connectionType: SSLConnectionType) -> SSLContext?Objective-C
SSLContextRef SSLCreateContext ( CFAllocatorRef alloc, SSLProtocolSide protocolSide, SSLConnectionType connectionType );Parameters
allocThe allocator to use. Pass
NULLorkCFAllocatorDefaultto use the default allocator.protocolSideEither
kSSLServerSideorkSSLClientSide.connectionTypeEither
kSSLStreamTypeorkSSLDatagramType.Availability
Available in OS X v10.8 and later.
-
Provides the largest packet that the OS guarantees it can send without fragmentation.
Declaration
Swift
func SSLGetDatagramWriteSize(_dtlsContext: SSLContext, _bufSize: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetDatagramWriteSize ( SSLContextRef dtlsContext, size_t *bufSize );Parameters
dtlsContextThe SSL context associated with the connection.
bufSizeThe address of a
size_tinteger for storing the length.Return Value
Returns 0 on success or an error code from
MacErrors.h.Discussion
Although any packet below this threshold size will not be fragmented by the OS when sent using
SSLWrite, this function provides no guarantees about whether the packet will be fragmented by routers en route. This size value is equal to the maximum Datagram Record size (set by callingSSLSetMaxDatagramRecordSize) minus the DTLS Record header size.Availability
Available in OS X v10.8 and later.
-
Obtains the maximum datagram record size (including all Datagram TLS record headers) allowed by the application for a given SSL context.
Declaration
Swift
func SSLGetMaxDatagramRecordSize(_dtlsContext: SSLContext, _maxSize: UnsafeMutablePointer<Int>) -> OSStatusObjective-C
OSStatus SSLGetMaxDatagramRecordSize ( SSLContextRef dtlsContext, size_t *maxSize );Parameters
dtlsContextThe SSL context associated with the connection.
bufSizeThe address of a
size_tinteger for storing the length.Return Value
Returns 0 on success or an error code from
MacErrors.h.Discussion
The application can specify a new value by calling
SSLSetMaxDatagramRecordSize, up to the maximum size of a UDP packet (which, in turn, is based on the underlying IP protocol).Availability
Available in OS X v10.8 and later.
-
Gets the maximum protocol version allowed by the application for a given SSL context.
Declaration
Swift
func SSLGetProtocolVersionMax(_context: SSLContext, _maxVersion: UnsafeMutablePointer<SSLProtocol>) -> OSStatusObjective-C
OSStatus SSLGetProtocolVersionMax ( SSLContextRef context, SSLProtocol *maxVersion );Parameters
dtlsContextThe SSL context associated with the connection.
maxVersionThe address of an
SSLProtocolinteger where the maximum version should be stored. See SSL Protocol Constants for a list of possible values.Return Value
Returns 0 on success or an error code from
MacErrors.h.Availability
Available in OS X v10.8 and later.
-
Gets the minimum protocol version allowed by the application for a given SSL context.
Declaration
Swift
func SSLGetProtocolVersionMin(_context: SSLContext, _minVersion: UnsafeMutablePointer<SSLProtocol>) -> OSStatusObjective-C
OSStatus SSLGetProtocolVersionMin ( SSLContextRef context, SSLProtocol *minVersion );Parameters
dtlsContextThe SSL context associated with the connection.
minVersionThe address of an
SSLProtocolinteger where the minimum version should be stored. See SSL Protocol Constants for a list of possible values.Return Value
Returns 0 on success or an error code from
MacErrors.h.Availability
Available in OS X v10.8 and later.
-
Sets the cookie value used in the Datagram TLS hello message.
Declaration
Swift
func SSLSetDatagramHelloCookie(_dtlsContext: SSLContext, _cookie: UnsafePointer<Void>, _cookieLen: Int) -> OSStatusObjective-C
OSStatus SSLSetDatagramHelloCookie ( SSLContextRef dtlsContext, const void *cookie, size_t cookieLen );Parameters
dtlsContextThe SSL context associated with the connection.
cookieThe cookie value.
cookieLenThe length of the cookie (up to 32 bytes).
Return Value
Returns 0 on success or an error code from
MacErrors.h.Discussion
This function should be called only on the server side, and is optional. The default cookie is a zero-length cookie.
Availability
Available in OS X v10.8 and later.
-
Obtains the maximum datagram record size (including all Datagram TLS record headers) allowed by the application for a given SSL context.
Declaration
Swift
func SSLSetMaxDatagramRecordSize(_dtlsContext: SSLContext, _maxSize: Int) -> OSStatusObjective-C
OSStatus SSLSetMaxDatagramRecordSize ( SSLContextRef dtlsContext, size_t maxSize );Parameters
dtlsContextThe SSL context associated with the connection.
bufSizeThe length value.
Return Value
Returns 0 on success or an error code from
MacErrors.h.Discussion
The application can specify a new value up to the maximum size of a UDP packet (which, in turn, is based on the underlying IP protocol).
Availability
Available in OS X v10.8 and later.
-
Sets the maximum protocol version allowed by the application for a given SSL context.
Declaration
Swift
func SSLSetProtocolVersionMax(_context: SSLContext, _maxVersion: SSLProtocol) -> OSStatusObjective-C
OSStatus SSLSetProtocolVersionMax ( SSLContextRef context, SSLProtocol maxVersion );Parameters
dtlsContextThe SSL context associated with the connection.
maxVersionThe new maximum version (
kTLSProtocol1, for example). See SSL Protocol Constants for a complete list.Return Value
Returns 0 on success or an error code from
MacErrors.h.Availability
Available in OS X v10.8 and later.
-
Sets the minimum protocol version allowed by the application for a given SSL context.
Declaration
Swift
func SSLSetProtocolVersionMin(_context: SSLContext, _minVersion: SSLProtocol) -> OSStatusObjective-C
OSStatus SSLSetProtocolVersionMin ( SSLContextRef context, SSLProtocol minVersion );Parameters
dtlsContextThe SSL context associated with the connection.
minVersionThe new minimum version (
kTLSProtocol1, for example). See SSL Protocol Constants for a complete list.Return Value
Returns 0 on success or an error code from
MacErrors.h.Availability
Available in OS X v10.8 and later.
-
Defines a pointer to a customized read function that Secure Transport calls to read data from the connection.
Declaration
Swift
typealias SSLReadFunc = (SSLConnectionRef, UnsafeMutablePointer<Void>, UnsafeMutablePointer<Int>) -> OSStatusObjective-C
typedef OSStatus (*SSLReadFunc) ( SSLConnectionRef connection, void *data, size_t *dataLength );Parameters
connectionA connection reference.
dataOn return, your callback should overwrite the memory at this location with the data read from the connection.
dataLengthOn input, a pointer to an integer representing the length of the data in bytes. On return, your callback should overwrite that integer with the number of bytes actually transferred.
Return Value
Your callback must return an appropriate result code. See Secure Transport Result Codes.
Discussion
Before using the Secure Transport API, you must create a read function (conforming to the
SSLReadFuncprototype) and a write function (conforming to theSSLWriteFuncprototype) and provide them to the library by calling theSSLSetIOFuncsfunction.You may configure the underlying connection to operate in a nonblocking manner; in that case, a read operation may well return
errSSLWouldBlock, indicating less data than requested was transferred and nothing is wrong except that the requested I/O hasn’t completed. This result is returned to the caller from the functionsSSLRead,SSLWrite, orSSLHandshake.Availability
Available in OS X v10.2 and later.
See Also
-
Defines a pointer to a customized write function that Secure Transport calls to write data to the connection.
Declaration
Swift
typealias SSLWriteFunc = (SSLConnectionRef, UnsafePointer<Void>, UnsafeMutablePointer<Int>) -> OSStatusObjective-C
typedef OSStatus (*SSLWriteFunc) ( SSLConnectionRef connection, const void *data, size_t *dataLength );Parameters
connectionThe SSL session connection reference.
dataA pointer to the data to write to the connection.You must allocate this memory before calling this function.
dataLengthBefore calling, an integer representing the length of the data in bytes. On return, this is the number of bytes actually transferred.
Return Value
A result code. See Secure Transport Result Codes.
Discussion
Before using the Secure Transport API, you must write the functions
SSLReadFuncand SSLWriteFunc and provide them to the library by calling theSSLSetIOFuncsfunction.You may configure the underlying connection to operate in a nonblocking manner. In that case, a write operation may well return
errSSLWouldBlock, indicating less data than requested was transferred and nothing is wrong except that the requested I/O hasn’t completed. This result is returned to the caller from the functionsSSLRead,SSLWrite, orSSLHandshake.Availability
Available in OS X v10.2 and later.
See Also
-
Represents a pointer to an opaque I/O connection object.
Declaration
Swift
typealias SSLConnectionRef = UnsafePointer<Void>Objective-C
typedef const void *SSLConnectionRef;Discussion
The I/O connection object refers to data that identifies a connection. The connection data is opaque to Secure Transport; you can set it to any value that your application can use in the callback functions
SSLReadFuncandSSLWriteFuncto uniquely identify the connection, such as a socket or endpoint. Use theSSLSetConnectionfunction to assign a value to the connection object.Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
Represents a pointer to an opaque SSL session context object.
Declaration
Swift
class SSLContext { }Objective-C
struct SSLContext; typedef struct SSLContext *SSLContextRef;Discussion
The SSL session context object references the state associated with a session. You cannot reuse an SSL session context in multiple sessions.
Availability
Available in OS X v10.2 and later.
-
Represents the requirements for client-side authentication.
Declaration
Swift
enum SSLAuthenticate : Int32 { case NeverAuthenticate case AlwaysAuthenticate case TryAuthenticate }Objective-C
typedef enum { kNeverAuthenticate, kAlwaysAuthenticate, kTryAuthenticate } SSLAuthenticate;Constants
-
neverAuthenticatekNeverAuthenticateIndicates that client-side authentication is not required. (Default.)
Available in OS X v10.2 and later.
-
alwaysAuthenticatekAlwaysAuthenticateIndicates that client-side authentication is required.
Available in OS X v10.2 and later.
-
tryAuthenticatekTryAuthenticateIndicates that client-side authentication should be attempted. There is no error if the client doesn’t have a certificate.
Available in OS X v10.2 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
-
Represents the cipher suites available.
Declaration
Swift
typealias SSLCipherSuite = UInt32Objective-C
typedef UInt32 SSLCipherSuite; enum { SSL_NULL_WITH_NULL_NULL = 0x0000, SSL_RSA_WITH_NULL_MD5 = 0x0001, SSL_RSA_WITH_NULL_SHA = 0x0002, SSL_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, SSL_RSA_WITH_RC4_128_MD5 = 0x0004, SSL_RSA_WITH_RC4_128_SHA = 0x0005, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, SSL_RSA_WITH_IDEA_CBC_SHA = 0x0007, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, SSL_RSA_WITH_DES_CBC_SHA = 0x0009, SSL_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, SSL_DH_DSS_WITH_DES_CBC_SHA = 0x000C, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, SSL_DH_RSA_WITH_DES_CBC_SHA = 0x000F, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, SSL_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, SSL_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, SSL_DH_anon_WITH_RC4_128_MD5 = 0x0018, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019, SSL_DH_anon_WITH_DES_CBC_SHA = 0x001A, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, SSL_FORTEZZA_DMS_WITH_NULL_SHA = 0x001C, SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA =0x001D, /* TLS addenda using AES, per RFC 3268 */ TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034, TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A, /* ECDSA addenda, RFC 4492 */ TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005, TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B, TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F, TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010, TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, TLS_ECDH_anon_WITH_NULL_SHA = 0xC015, TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017, TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018, TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019, /* TLS 1.2 addenda, RFC 5246 */ /* Initial state. */ TLS_NULL_WITH_NULL_NULL = 0x0000, /* Server provided RSA certificate for key exchange. */ TLS_RSA_WITH_NULL_MD5 = 0x0001, TLS_RSA_WITH_NULL_SHA = 0x0002, TLS_RSA_WITH_RC4_128_MD5 = 0x0004, TLS_RSA_WITH_RC4_128_SHA = 0x0005, TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, TLS_RSA_WITH_NULL_SHA256 = 0x003B, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, /* Server-authenticated (and optionally client-authenticated ) Diffie-Hellman. */ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E, TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068, TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, /* Completely anonymous Diffie-Hellman */ TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C, TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D, /* Addendum from RFC 4279, TLS PSK */ TLS_PSK_WITH_RC4_128_SHA = 0x008A, TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C, TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D, TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E, TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F, TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090, TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091, TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092, TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093, TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094, TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095, /* RFC 4785 - Pre-Shared Key (PSK ) Ciphersuites with NULL Encryption */ TLS_PSK_WITH_NULL_SHA = 0x002C, TLS_DHE_PSK_WITH_NULL_SHA = 0x002D, TLS_RSA_PSK_WITH_NULL_SHA = 0x002E, /* Addenda from rfc 5288 AES Galois Counter Mode (GCM ) Cipher Suites for TLS. */ TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0, TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6, TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7, /* RFC 5487 - PSK with SHA-256/384 and AES GCM */ TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE, TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF, TLS_PSK_WITH_NULL_SHA256 = 0x00B0, TLS_PSK_WITH_NULL_SHA384 = 0x00B1, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4, TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8, TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9, /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with HMAC SHA-256/384. */ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A, /* Addenda from rfc 5289 Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM ) */ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032, /* RFC 5746 - Secure Renegotiation */ TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, /* * Tags for SSL 2 cipher kinds that are not specified * for SSL 3. */ SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80, SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81, SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82, SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83, SSL_NO_SUCH_CIPHERSUITE = 0xFFFF };Constants
-
SSL_RSA_EXPORT_WITH_RC4_40_MD5SSL_RSA_EXPORT_WITH_RC4_40_MD5Session key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5Session key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_RSA_EXPORT_WITH_DES40_CBC_SHASSL_RSA_EXPORT_WITH_DES40_CBC_SHASession key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHASession key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHASSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHASession key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASession key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5SSL_DH_anon_EXPORT_WITH_RC4_40_MD5Session key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHASSL_DH_anon_EXPORT_WITH_DES40_CBC_SHASession key size conforms to pre-1998 US export restrictions.
Available in OS X v10.2 and later.
-
SSL_RSA_WITH_RC2_CBC_MD5SSL_RSA_WITH_RC2_CBC_MD5This value can be specified for SSL 2 but not SSL 3.
Available in OS X v10.2 and later.
-
SSL_RSA_WITH_IDEA_CBC_MD5SSL_RSA_WITH_IDEA_CBC_MD5This value can be specified for SSL 2 but not SSL 3.
Available in OS X v10.2 and later.
-
SSL_RSA_WITH_DES_CBC_MD5SSL_RSA_WITH_DES_CBC_MD5This value can be specified for SSL 2 but not SSL 3.
Available in OS X v10.2 and later.
-
SSL_RSA_WITH_3DES_EDE_CBC_MD5SSL_RSA_WITH_3DES_EDE_CBC_MD5This value can be specified for SSL 2 but not SSL 3.
Available in OS X v10.2 and later.
Discussion
These cipher suite constants are part of the TLS specification. For more information, see RFC 5246.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
-
Represents the status of client certificate exchange.
Declaration
Swift
enum SSLClientCertificateState : Int32 { case CertNone case CertRequested case CertSent case CertRejected }Objective-C
typedef enum { kSSLClientCertNone, kSSLClientCertRequested, kSSLClientCertSent, kSSLClientCertRejected } SSLClientCertificateState;Constants
-
certNonekSSLClientCertNoneIndicates that the server hasn’t asked for a certificate and that the client hasn’t sent one.
Available in OS X v10.2 and later.
-
certRequestedkSSLClientCertRequestedIndicates that the server has asked for a certificate, but the client has not sent it.
Available in OS X v10.2 and later.
-
certSentkSSLClientCertSentIndicates that the server asked for a certificate, the client sent one, and the server validated it. The application can inspect the certificate using the function
SSLGetPeerCertificates.Available in OS X v10.2 and later.
-
certRejectedkSSLClientCertRejectedIndicates that the client sent a certificate but the certificate failed validation. This value is seen only on the server side. The server application can inspect the certificate using the function
SSLGetPeerCertificates.Available in OS X v10.2 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
-
Represents the SSL protocol version.
Declaration
Swift
enum SSLProtocol : Int32 { case SSLProtocolUnknown case SSLProtocol3 case TLSProtocol1 case TLSProtocol11 case TLSProtocol12 case DTLSProtocol1 case SSLProtocol2 case SSLProtocol3Only case TLSProtocol1Only case SSLProtocolAll }Objective-C
typedef enum { kSSLProtocolUnknown = 0, kSSLProtocol3 = 2, kTLSProtocol1 = 4, kTLSProtocol11 = 7, kTLSProtocol12 = 8, kDTLSProtocol1 = 9, /* DEPRECATED on iOS */ kSSLProtocol2 = 1, kSSLProtocol3Only = 3, kTLSProtocol1Only = 5, kSSLProtocolAll = 6, } SSLProtocol;Constants
-
sslProtocolUnknownkSSLProtocolUnknownSpecifies that no protocol has been or should be negotiated or specified; use default.
Available in OS X v10.2 and later.
-
sslProtocol3kSSLProtocol3Specifies that the SSL 3.0 protocol is preferred; the SSL 2.0 protocol may be negotiated if the peer cannot use the SSL 3.0 protocol.
Available in OS X v10.2 and later.
-
tlsProtocol1kTLSProtocol1Specifies that the TLS 1.0 protocol is preferred but lower versions may be negotiated.
Available in OS X v10.2 and later.
-
tlsProtocol11kTLSProtocol11Specifies that the TLS 1.1 protocol is preferred but lower versions may be negotiated.
Available in OS X v10.8 and later.
-
tlsProtocol12kTLSProtocol12Specifies that the TLS 1.2 protocol is preferred but lower versions may be negotiated.
Available in OS X v10.8 and later.
-
sslProtocol2kSSLProtocol2Specifies that only the SSL 2.0 protocol may be negotiated. Deprecated in iOS.
Available in OS X v10.2 and later.
-
sslProtocol3OnlykSSLProtocol3OnlySpecifies that only the SSL 3.0 protocol may be negotiated; fails if the peer tries to negotiate the SSL 2.0 protocol. Deprecated in iOS.
Available in OS X v10.2 and later.
-
tlsProtocol1OnlykTLSProtocol1OnlySpecifies that only the TLS 1.0 protocol may be negotiated. Deprecated in iOS.
Available in OS X v10.2 and later.
-
sslProtocolAllkSSLProtocolAllSpecifies all supported versions. Deprecated in iOS.
Available in OS X v10.3 and later.
Discussion
The descriptions given here apply to the functions
SSLSetProtocolVersionandSSLGetProtocolVersion. For the functionsSSLSetProtocolVersionEnabledandSSLGetProtocolVersionEnabled, only the following values are used. For these functions, each constant exceptkSSLProtocolAllspecifies a single protocol version.kSSLProtocol2kSSLProtocol3kTLSProtocol1kSSLProtocolAll
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
-
Represents the state of an SSL session.
Declaration
Swift
enum SSLSessionState : Int32 { case Idle case Handshake case Connected case Closed case Aborted }Objective-C
typedef enum { kSSLIdle, kSSLHandshake, kSSLConnected, kSSLClosed, kSSLAborted } SSLSessionState;Constants
-
idlekSSLIdleNo I/O has been performed yet.
Available in OS X v10.2 and later.
-
handshakekSSLHandshakeThe SSL handshake is in progress.
Available in OS X v10.2 and later.
-
connectedkSSLConnectedThe SSL handshake is complete; the connection is ready for normal I/O.
Available in OS X v10.2 and later.
-
closedkSSLClosedThe connection closed normally.
Available in OS X v10.2 and later.
-
abortedkSSLAbortedThe connection aborted.
Available in OS X v10.2 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.2 and later.
-
-
Options that can be set for an SSL session with the
SSLSetSessionOptionfunction.Declaration
Swift
enum SSLSessionOption : Int32 { case BreakOnServerAuth case BreakOnCertRequested case BreakOnClientAuth case FalseStart case SendOneByteRecord case AllowServerIdentityChange case Fallback case BreakOnClientHello }Objective-C
typedef enum { kSSLSessionOptionBreakOnServerAuth, kSSLSessionOptionBreakOnCertRequested, kSSLSessionOptionBreakOnClientAuth, kSSLSessionOptionFalseStart, kSSLSessionOptionSendOneByteRecord } SSLSessionOption;Constants
-
breakOnServerAuthkSSLSessionOptionBreakOnServerAuthEnables returning from
SSLHandshake(with a result oferrSSLServerAuthCompleted) when the server authentication portion of the handshake is complete to allow your application to perform its own certificate verification.Note that in iOS (all versions) and OS X 10.8 and later, setting this option disables Secure Transport's automatic verification of server certificates.
If you set this option, your application should perform its own certificate verification when
errSSLServerAuthCompletedis returned before continuing with the handshake.Available in OS X v10.6 and later.
-
breakOnCertRequestedkSSLSessionOptionBreakOnCertRequestedEnables returning from
SSLHandshake(with a result oferrSSLClientCertRequested) when the server requests a client certificate.Available in OS X v10.6 and later.
-
breakOnClientAuthkSSLSessionOptionBreakOnClientAuthEnables returning from
SSLHandshake(with a result oferrSSLClientAuthCompleted) when the client authentication portion of the handshake is complete to allow your application to perform its own certificate verification.Note that in iOS (all versions) and OS X 10.8 and later, setting this option disables Secure Transport's automatic verification of client certificates.
If you set this option, your application should perform its own certificate verification when
errSSLClientAuthCompletedis returned before continuing with the handshake.Available in OS X v10.8 and later.
-
falseStartkSSLSessionOptionFalseStartWhen enabled, TLS False Start is used if an adequate cipher-suite is negotiated.
Available in OS X v10.9 and later.
-
sendOneByteRecordkSSLSessionOptionSendOneByteRecordEnables
1/n-1record splitting for BEAST attack mitigation. When enabled, record splitting is performed only for TLS 1.0 connections based on a block cipher.Available in OS X v10.9 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.6 and later.
-
-
Specifies whether a new SSL context created by
SSLCreateContextshould describe the server side or client side of a connection.Declaration
Swift
enum SSLProtocolSide : Int32 { case ServerSide case ClientSide }Objective-C
typedef enum { kSSLServerSide, kSSLClientSide } SSLProtocolSide;Constants
-
serverSidekSSLServerSideServer side.
Available in OS X v10.8 and later.
-
clientSidekSSLClientSideClient side.
Available in OS X v10.8 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.8 and later.
-
-
Specifies whether a new SSL context created by
SSLCreateContextis intended for use in stream-based or datagram-based communication.Declaration
Swift
enum SSLConnectionType : Int32 { case StreamType case DatagramType }Objective-C
typedef enum { kSSLStreamType, kSSLDatagramType } SSLConnectionType;Constants
-
streamTypekSSLStreamTypeStream-based communication (TCP).
Available in OS X v10.8 and later.
-
datagramTypekSSLDatagramTypeDatagram-based communication (UDP).
Available in OS X v10.8 and later.
Import Statement
Objective-C
@import Security;Swift
import SecurityAvailability
Available in OS X v10.8 and later.
-
The most common result codes returned by Secure Transport functions are listed in the table below.
Errors in the range of –9819 through –9840 are fatal errors that are detected by the peer.
-
SSL protocol error.
Value
–9800
Description
SSL protocol error.
Available in OS X v10.2 and later.
-
The cipher suite negotiation failed.
Value
–9801
Description
The cipher suite negotiation failed.
Available in OS X v10.2 and later.
-
A fatal alert was encountered.
Value
–9802
Description
A fatal alert was encountered.
Available in OS X v10.2 and later.
-
Function is blocked; waiting for I/O. This is not fatal.
Value
–9803
Description
Function is blocked; waiting for I/O. This is not fatal.
Available in OS X v10.2 and later.
-
An attempt to restore an unknown session failed.
Value
–9804
Description
An attempt to restore an unknown session failed.
Available in OS X v10.2 and later.
-
The connection closed gracefully.
Value
–9805
Description
The connection closed gracefully.
Available in OS X v10.2 and later.
-
The connection closed due to an error.
Value
–9806
Description
The connection closed due to an error.
Available in OS X v10.2 and later.
-
Invalid certificate chain.
Value
–9807
Description
Invalid certificate chain.
Available in OS X v10.2 and later.
-
Bad certificate format.
Value
–9808
Description
Bad certificate format.
Available in OS X v10.2 and later.
-
An underlying cryptographic error was encountered.
Value
–9809
Description
An underlying cryptographic error was encountered.
Available in OS X v10.2 and later.
-
Internal error.
Value
–9810
Description
Internal error.
Available in OS X v10.2 and later.
-
Module attach failure.
Value
–9811
Description
Module attach failure.
Available in OS X v10.2 and later.
-
Certificate chain is valid, but root is not trusted.
Value
–9812
Description
Certificate chain is valid, but root is not trusted.
Available in OS X v10.2 and later.
-
No root certificate for the certificate chain.
Value
–9813
Description
No root certificate for the certificate chain.
Available in OS X v10.2 and later.
-
The certificate chain had an expired certificate.
Value
–9814
Description
The certificate chain had an expired certificate.
Available in OS X v10.2 and later.
-
The certificate chain had a certificate that is not yet valid.
Value
–9815
Description
The certificate chain had a certificate that is not yet valid.
Available in OS X v10.2 and later.
-
The server closed the session with no notification.
Value
–9816
Description
The server closed the session with no notification.
Available in OS X v10.2 and later.
-
An insufficient buffer was provided.
Value
–9817
Description
An insufficient buffer was provided.
Available in OS X v10.2 and later.
-
A bad SSL cipher suite was encountered.
Value
–9818
Description
A bad SSL cipher suite was encountered.
Available in OS X v10.2 and later.
-
An unexpected message was received.
Value
–9819
Description
An unexpected message was received.
Available in OS X v10.3 and later.
-
A record with a bad message authentication code (MAC) was encountered.
Value
–9820
Description
A record with a bad message authentication code (MAC) was encountered.
Available in OS X v10.3 and later.
-
Decryption failed.
Value
–9821
Description
Decryption failed.
Available in OS X v10.3 and later.
-
A record overflow occurred.
Value
–9822
Description
A record overflow occurred.
Available in OS X v10.3 and later.
-
Decompression failed.
Value
–9823
Description
Decompression failed.
Available in OS X v10.3 and later.
-
The handshake failed.
Value
–9824
Description
The handshake failed.
Available in OS X v10.3 and later.
-
A bad certificate was encountered.
Value
–9825
Description
A bad certificate was encountered.
Available in OS X v10.3 and later.
-
An unsupported certificate format was encountered.
Value
–9826
Description
An unsupported certificate format was encountered.
Available in OS X v10.3 and later.
-
The certificate was revoked.
Value
–9827
Description
The certificate was revoked.
Available in OS X v10.3 and later.
-
The certificate expired.
Value
–9828
Description
The certificate expired.
Available in OS X v10.3 and later.
-
The certificate is unknown.
Value
–9829
Description
The certificate is unknown.
Available in OS X v10.3 and later.
-
An illegal parameter was encountered.
Value
–9830
Description
An illegal parameter was encountered.
Available in OS X v10.3 and later.
-
An unknown certificate authority was encountered.
Value
–9831
Description
An unknown certificate authority was encountered.
Available in OS X v10.3 and later.
-
Access was denied.
Value
–9832
Description
Access was denied.
Available in OS X v10.3 and later.
-
A decoding error occurred.
Value
–9833
Description
A decoding error occurred.
Available in OS X v10.3 and later.
-
A decryption error occurred.
Value
–9834
Description
A decryption error occurred.
Available in OS X v10.3 and later.
-
An export restriction occurred.
Value
–9835
Description
An export restriction occurred.
Available in OS X v10.3 and later.
-
A bad protocol version was encountered.
Value
–9836
Description
A bad protocol version was encountered.
Available in OS X v10.3 and later.
-
There is insufficient security for this operation.
Value
–9837
Description
There is insufficient security for this operation.
Available in OS X v10.3 and later.
-
An internal error occurred.
Value
–9838
Description
An internal error occurred.
Available in OS X v10.3 and later.
-
The user canceled the operation.
Value
–9839
Description
The user canceled the operation.
Available in OS X v10.3 and later.
-
No renegotiation is allowed.
Value
–9840
Description
No renegotiation is allowed.
Available in OS X v10.3 and later.
-
The server certificate is either valid or was ignored if verification is disabled.
Value
-9841
Description
The server certificate is either valid or was ignored if verification is disabled.
Available in OS X v10.6 through OS X v10.7.
-
The server has requested a client certificate.
Value
-9842
Description
The server has requested a client certificate.
Available in OS X v10.6 and later.
-
The host name you connected with does not match any of the host names allowed by the certificate. This is commonly caused by an incorrect value for the
kCFStreamSSLPeerNameproperty within the dictionary associated with the stream’skCFStreamPropertySSLSettingskey.Value
-9843
Description
The host name you connected with does not match any of the host names allowed by the certificate. This is commonly caused by an incorrect value for the
kCFStreamSSLPeerNameproperty within the dictionary associated with the stream’skCFStreamPropertySSLSettingskey.Available in OS X v10.4 and later.
-
The peer dropped the connection before responding.
Value
–9844
Description
The peer dropped the connection before responding.
Available in OS X v10.4 and later.
-
Decryption failed. Among other causes, this may be caused by invalid data coming from the remote host, a damaged crypto key, or insufficient permission to use a key that is stored in the keychain.
Value
–9845
Description
Decryption failed. Among other causes, this may be caused by invalid data coming from the remote host, a damaged crypto key, or insufficient permission to use a key that is stored in the keychain.
Available in OS X v10.3 and later.
-
A record with a bad message authentication code (MAC) was encountered.
Value
–9846
Description
A record with a bad message authentication code (MAC) was encountered.
Available in OS X v10.3 and later.
-
A record overflow occurred.
Value
–9847
Description
A record overflow occurred.
Available in OS X v10.3 and later.
-
A configuration error occurred.
Value
–9848
Description
A configuration error occurred.
Available in OS X v10.3 and later.
Copyright © 2016 Apple Inc. All rights reserved. Terms of Use | Privacy Policy | Updated: 2014-02-11