How to add more cipher suites

Question

Yan2025 OP

Created 1w

Replies 1

Boosts 0

Participants 2

I want to add more cipher suites. I use NWConnection to make a connection. Before I use sec_protocol_options_append_tls_ciphersuite method to add more cipher suites, I found that Apple provided 20 cipher suites shown in the client hello packet. But after I added three more cipher suites, I found that nothing changed, and still original 20 cipher suites shown in the client hello packet when I made a new connection.

The following is the code about connection. I want to add three more cipher suites: tls_ciphersuite_t.ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, tls_ciphersuite_t.ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, tls_ciphersuite_t.ECDHE_RSA_WITH_AES_256_CBC_SHA384

Screenshot 2025-12-04 at 8.53.25 AM.png

Can you give me some advice about how to add more cipher suites? Thanks.

By the way, I working on a MacOS app. Xcode version: 16 MacOS version: 15.6

Boost

Answer 1

DTS Engineer OP

Apple

4d

It might seem like the mechanism to build the list of cypher suites in the Client Hello is simple — you start out with some defaults and then every call to sec_protocol_options_append_tls_ciphersuite adds one to the end — but that’s not the case. Like pretty much everything in TLS, it’s ridiculously complicated, based on factors like TLS version, policy, hardware capabilities, and so on.

You can get an inkling of this in the BoringSSL open source but the Apple version of that is significantly more complicated. After spending way too much time down that rabbit hole, I came to the conclusion that I was actually trying to describe the implementation, not the API, and that’s not good [1].

I think the only thing you can safely say about the sec_protocol_options_append_tls_ciphersuite API is that it adds the cypher suite to the list of cypher suites that the implementation might choose to use.

Which brings me to a question: What’s your high-level goal here? Why do you need these specific cypher suites enabled?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] The risk with describing implementation details is that folks treat them like APIs, write code that depends on them, and then get grumpy when they change.

0