diff options
| author |  tihmstar | 2023-12-12 11:13:58 +0100 |
|---|---|---|
| committer |  Nikias Bassen | 2023-12-12 11:13:58 +0100 |
| commit | 9ecd81d16cf0754c3a4a72ea45422c51482d50ba (patch) | |
| tree | 0d5cfb4d16769ff82a2cd449f13847a347307be6 /src/idevice.c | |
| parent | 04c023317f616b4b9588cce8c2da3174a7d2086b (diff) | |
| download | libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.gz libimobiledevice-9ecd81d16cf0754c3a4a72ea45422c51482d50ba.tar.bz2 | |
Fix iOS 1 SSL connection
Detect if we're talking to iOS 1 `if (connection->device->version == 0)`
and set `SSL_CTX_set_min_proto_version(ssl_ctx, 0);` to support SSL3.
iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION.
However, modern OpenSSL is usually compiled without SSLv3 support.
So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it,
it will just ignore min_proto_version altogether and fall back to an even higher version.
To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead.
Diffstat (limited to 'src/idevice.c')
| -rw-r--r-- | src/idevice.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/idevice.c b/src/idevice.c index 719cd28..2f4e9ce 100644 --- a/src/idevice.c +++ b/src/idevice.c | |||
| @@ -1245,6 +1245,20 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_connection_enable_ssl(idevice_conne | |||
| 1245 | SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); | 1245 | SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); |
| 1246 | if (connection->device->version < DEVICE_VERSION(10,0,0)) { | 1246 | if (connection->device->version < DEVICE_VERSION(10,0,0)) { |
| 1247 | SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); | 1247 | SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_VERSION); |
| 1248 | if (connection->device->version == 0) { | ||
| 1249 | /* | ||
| 1250 | iOS 1 doesn't understand TLS1_VERSION, it can only speak SSL3_VERSION. | ||
| 1251 | However, modern OpenSSL is usually compiled without SSLv3 support. | ||
| 1252 | So if we set min_proto_version to SSL3_VERSION on an OpenSSL instance which doesn't support it, | ||
| 1253 | it will just ignore min_proto_version altogether and fall back to an even higher version. | ||
| 1254 | To avoid accidentally breaking iOS 2.0+, we set min version to 0 instead. | ||
| 1255 | Here is what documentation says: | ||
| 1256 | Setting the minimum or maximum version to 0, | ||
| 1257 | will enable protocol versions down to the lowest version, | ||
| 1258 | or up to the highest version supported by the library, respectively. | ||
| 1259 | */ | ||
| 1260 | SSL_CTX_set_min_proto_version(ssl_ctx, 0); | ||
| 1261 | } | ||
| 1248 | } | 1262 | } |
| 1249 | #endif | 1263 | #endif |
| 1250 | #if OPENSSL_VERSION_NUMBER >= 0x30000000L | 1264 | #if OPENSSL_VERSION_NUMBER >= 0x30000000L |