Is there any way to explicitly specify the set of cipher suites that you'd like your URLSession client to try and use when establishing a secure connection?
I know that there's the NSExceptionRequiresForwardSecrecy key in the NSAppTransportSecurity dictionary but that doesn't seem to be what I need.
I basically just want to be able to tell the client to notify the server that it is only willing to use the following cipher suites:
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
That way I can decrypt the HTTP/2 traffic that the client and server and communicating with.
As far as I'm aware, there's no way to do this at the
NSURLSessionlevel. You can, of course, write code based on the Secure Transport API, but AFAIK there's no easy way to makeNSURLSessionuse a custom underlying socket. (You might be able to use CFHTTPMessage and friends to make it slightly less horrible than writing a full HTTP stack yourself, but it still won't be pretty.)With that said, if you're using an HTTPS proxy (e.g. Charles Proxy), it should be able to specify which cipher suites are supported and let you MitM the connection without the need for any sort of custom code in the app itself.
If that doesn't meet your needs, I would encourage you to file enhancement requests at bugreport.apple.com and explain what you're trying to do and why. They might be able to suggest some other options.