Fix iOS 1 SSL connection

Detect if we're talking to iOS 1 `if (connection->device->version == 0)` and set `SSL_CTX_set_min_proto_version(ssl_ctx, 0);` to support SSL3. iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION. However, modern OpenSSL is usually compiled without SSLv3 support. So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it, it will just ignore min_proto_version altogether and fall back to an even higher version. To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead.
author: tihmstar 2023-12-12 11:13:58 +0100
committer: Nikias Bassen 2023-12-12 11:13:58 +0100
commit: 9ecd81d16cf0754c3a4a72ea45422c51482d50ba (patch)
tree: 0d5cfb4d16769ff82a2cd449f13847a347307be6
parent: 04c023317f616b4b9588cce8c2da3174a7d2086b (diff)
download: libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.gz
libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.bz2
1 files changed, 14 insertions, 0 deletions
diff --git a/src/idevice.c b/src/idevice.c
index 719cd28..2f4e9ce 100644
--- a/src/idevice.c
+++ b/src/idevice.c
@@ -1245,6 +1245,20 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne
        SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
        if (connection->device->version < DEVICE_VERSION(10,0,0)) {
                SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
+                if (connection->device->version == 0) {
+                        /*
+                                iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION.
+                                However, modern OpenSSL is usually compiled without SSLv3 support.
+                                So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it,
+                                it will just ignore min_proto_version altogether and fall back to an even higher version.
+                                To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead.
+                                Here is what documentation says:
+                                        Setting the minimum or maximum version to 0,
+                                        will enable protocol versions down to the lowest version,
+                                        or up to the highest version supported by the library, respectively.
+                        */
+                        SSL_CTX_set_min_proto_version(ssl_ctx, 0);
+                }
        }
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
author	tihmstar	2023-12-12 11:13:58 +0100
committer	Nikias Bassen	2023-12-12 11:13:58 +0100
commit	9ecd81d16cf0754c3a4a72ea45422c51482d50ba (patch)
tree	0d5cfb4d16769ff82a2cd449f13847a347307be6
parent	04c023317f616b4b9588cce8c2da3174a7d2086b (diff)
download	libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.gz libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.bz2

diff --git a/src/idevice.c b/src/idevice.c index 719cd28..2f4e9ce 100644 --- a/src/idevice.c +++ b/src/idevice.c
@@ -1245,6 +1245,20 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne
1245	SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);	1245	SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
1246	if (connection->device->version < DEVICE_VERSION(10,0,0)) {	1246	if (connection->device->version < DEVICE_VERSION(10,0,0)) {
1247	SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);	1247	SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION);
		1248	if (connection->device->version == 0) {
		1249	/*
		1250	iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION.
		1251	However, modern OpenSSL is usually compiled without SSLv3 support.
		1252	So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it,
		1253	it will just ignore min_proto_version altogether and fall back to an even higher version.
		1254	To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead.
		1255	Here is what documentation says:
		1256	Setting the minimum or maximum version to 0,
		1257	will enable protocol versions down to the lowest version,
		1258	or up to the highest version supported by the library, respectively.
		1259	*/
		1260	SSL_CTX_set_min_proto_version(ssl_ctx, 0);
		1261	}
1248	}	1262	}
1249	#endif	1263	#endif
1250	#if OPENSSL_VERSION_NUMBER >= 0x30000000L	1264	#if OPENSSL_VERSION_NUMBER >= 0x30000000L