|
Avaya Client Services API Reference (iOS)
|
#import <CSSecurityPolicyConfiguration.h>
Inherits NSObject, and <NSCoding>.
Properties | |
| BOOL | continueOnTLSServerIdentityFailure |
| A boolean value to specify the action to take when server identity validation fails. More... | |
| CSSecurityPolicy | revocationCheckPolicy |
| An enumeration specifying applicable revocation policy. More... | |
| BOOL | privateTrustStoreEnabled |
| A boolean value to specify if the private trust store MUST be used for certificate validations, if set to true. More... | |
| BOOL | usePrivateKeychainForIdentityCertificate |
| A boolean value to specify if application private keychain should be used to store the security items. More... | |
| NSNumber * | certificateRenewalValue |
| An integer value specifying the percentage (0-100) of certificate's max age after which client should issue a certificate renewal notification. More... | |
| CSTLSProtocolVersion | minimumPermittedTLSProtocolVersion |
| Specifies minimum allowed TLS protocol version. More... | |
| CSTrustStoreMode | trustStoreMode |
| Specifies the type of trust store to be used for trust evaluation. More... | |
| NSArray * | blackListedCipherSuites |
| Specifies the black listed cipher suites which will not be included during TLS connection negotiation. More... | |
| NSInteger | minimumRSAKeyLength |
|
readwritenonatomiccopy |
Specifies the black listed cipher suites which will not be included during TLS connection negotiation.
List of available Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
Application can choose to blacklist cipher suites from the above list using this API and the blacklisted ciphers will not be included in TLS connection negotiation.
Note: If user chooses to black list all available cipher suites, the library will pick its default cipher suites for session negotiations.
|
readwritenonatomiccopy |
An integer value specifying the percentage (0-100) of certificate's max age after which client should issue a certificate renewal notification.
Default value of this parameter is 90%.
|
readwritenonatomicassign |
A boolean value to specify the action to take when server identity validation fails.
Applications that would like to ignore the server identity validation failures and continue setting up the secure connection can configure this value as YES. However, it is highly not recommended as to avoid any man-in-the-middle attacks. In some cases, where certain certificates do not have the necessary attributes to comply with the server identity validation rules and network administrator thinks the client applications are connecting to trusted servers, can configure this settings to NO such that such errors are ignored.
Default value is YES
|
readwritenonatomicassign |
Specifies minimum allowed TLS protocol version.
Default value of this parameter is CSTLSProtocolVersionTLS_1_0.
Allowed TLS protocols
CSTLSProtocolVersionTLS_1_0 : All TLS protocol versions are allowed. CSTLSProtocolVersionTLS_1_1 : TLS 1.1 and above are allowed. CSTLSProtocolVersionTLS_1_2 : TLS 1.2 and above are allowed. CSTLSProtocolVersionTLS_1_3 : TLS 1.3 is allowed.
|
readwritenonatomicassign |
|
readwritenonatomicassign |
A boolean value to specify if the private trust store MUST be used for certificate validations, if set to true.
|
readwritenonatomicassign |
An enumeration specifying applicable revocation policy.
The default value of the revocation policy is CSSecurityPolicyBestEffort.
Client application's trust validation behavior for various revocation policies.
CSSecurityPolicyDisabled: The revocation check will not be performed during certificate trust validation. CSSecurityPolicyBestEffort: The revocation check will be performed but any non-conclusive errors are not treated as "fatal". CSSecurityPolicyRequired: The revocation check will be performed and all errors are treated as "fatal". Certificate revocation is supported for macOS (OS X) only.
|
readwritenonatomicassign |
Specifies the type of trust store to be used for trust evaluation.
|
readwritenonatomicassign |
A boolean value to specify if application private keychain should be used to store the security items.
If value is set to NO default keychain will be used.