Merge pull request #1158 from ably/fix/1079-2

Fix for potentially insecure usage of the NSURLSession API
ably · Aug 5, 2021 · 0a81834 · 0a81834
2 parents ba9efd9 + 893d047
commit 0a81834
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/SocketRocket/SocketRocket/Internal/Proxy/ARTSRProxyConnect.m b/SocketRocket/SocketRocket/Internal/Proxy/ARTSRProxyConnect.m
@@ -236,7 +236,13 @@ - (void)_fetchPAC:(NSURL *)PACurl withProxySettings:(NSDictionary *)proxySetting
     }
     __weak typeof(self) wself = self;
     NSURLRequest *request = [NSURLRequest requestWithURL:PACurl];
-    NSURLSession *session = [NSURLSession sharedSession];
+    NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration];
+    if (@available(iOS 13.0, macOS 10.15, tvOS 13.0, *)) {
+        config.TLSMinimumSupportedProtocolVersion = tls_protocol_version_TLSv12;
+    } else {
+        config.TLSMinimumSupportedProtocol = kTLSProtocol12;
+    }
+    NSURLSession *session = [NSURLSession sessionWithConfiguration:config delegate:nil delegateQueue:nil];
     [[session dataTaskWithRequest:request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
         __strong typeof(wself) sself = wself;
         if (!error) {