Hi,
In our app where we use the Genesys Mobile Transport SDK we have a security requirement that we only offer the newest TLS version. It's important to us that weaker/older cyphers and versions are not offered in the TLS client 'hello' handshake packet. I looked at the connections made using Wireshark and found that the SDK in our case uses 3 domains:
api-cdn.euc2.pure.cloud: the library offers v1.3 and v1.2 in the client 'hello'.api.euc2.pure.cloud: the library also offers v1.3 and v1.2 in the client 'hello'.webmessaging.euc2.pure.cloud: according to Wireshark this offers v1.3, v1.2, v1,1 and v1.0 in the client 'hello'
The third domain is the reason for this PR. The first two domains I can override the offered TLS version in the Info.plist of the app using the NSExceptionDomains, where for a specific domain I configure it like this:
<key>api-cdn.euc2.pure.clou</key>
<dict>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.3</string>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
So that solves the problem for the first 2 domains, we use this with a number of SDKs.
However, the code in the SDK that connects to the webmessaging.euc2.pure.cloud server (the web socket) for some reason does not respond to this Info.plist directive. So this is the reason for my (premature) PR, it was an experiment to see if I can force both the minimum and maximum offered version to v1.3.
If you are aware of a cleaner way of doing this without modifying the SDK, I would be open to that of course. If that is not possible, I'm open to your feedback and questions and would like to work with you on making this acceptable to you. It should be a bit more generic than it is right now for sure.
thanks,
#WebMessaging------------------------------
Amira Abdellatif
DevOps Engineer
------------------------------