add option to force to use TLS 1.0

Classes/ASIHTTPRequest.h

@@ -366,6 +366,9 @@ typedef void (^ASIDataBlock)(NSData *data);
 	// When NO, requests will not check the secure certificate is valid (use for self-signed certificates during development, DO NOT USE IN PRODUCTION) Default is YES
 	BOOL validatesSecureCertificate;
 
+    // When YES, the kCFStreamSSLLevel will set to kCFStreamSocketSecurityLevelTLSv1 in kCFStreamPropertySSLSettings, mainly to avoid the SSL3.0 vulnerability Default is NO
+    BOOL onlyUseTLS1;
+
     // If not nil and the URL scheme is https, CFNetwork configured to supply a client certificate
     SecIdentityRef clientCertificateIdentity;
 	NSArray *clientCertificates;
@@ -969,6 +972,7 @@ typedef void (^ASIDataBlock)(NSData *data);
 @property (atomic, assign, readonly) unsigned long long partialDownloadSize;
 @property (atomic, assign) BOOL shouldRedirect;
 @property (atomic, assign) BOOL validatesSecureCertificate;
+@property (atomic, assign) BOOL onlyUseTLS1;
 @property (atomic, assign) BOOL shouldCompressRequestBody;
 @property (atomic, retain) NSURL *PACurl;
 @property (atomic, retain) NSString *authenticationScheme;

Classes/ASIHTTPRequest.m

@@ -298,6 +298,7 @@ - (id)initWithURL:(NSURL *)newURL
 	[self setUseSessionPersistence:YES];
 	[self setUseCookiePersistence:YES];
 	[self setValidatesSecureCertificate:YES];
+    [self setOnlyUseTLS1:NO];
 	[self setRequestCookies:[[[NSMutableArray alloc] init] autorelease]];
 	[self setDidStartSelector:@selector(requestStarted:)];
 	[self setDidReceiveResponseHeadersSelector:@selector(request:didReceiveResponseHeaders:)];
@@ -1210,23 +1211,6 @@ - (void)startRequest
 
     if([[[[self url] scheme] lowercaseString] isEqualToString:@"https"]) {       
 
-        // Tell CFNetwork not to validate SSL certificates
-        if (![self validatesSecureCertificate]) {
-            // see: http://iphonedevelopment.blogspot.com/2010/05/nsstream-tcp-and-ssl.html
-
-            NSDictionary *sslProperties = [[NSDictionary alloc] initWithObjectsAndKeys:
-                                      [NSNumber numberWithBool:YES], kCFStreamSSLAllowsExpiredCertificates,
-                                      [NSNumber numberWithBool:YES], kCFStreamSSLAllowsAnyRoot,
-                                      [NSNumber numberWithBool:NO],  kCFStreamSSLValidatesCertificateChain,
-                                      kCFNull,kCFStreamSSLPeerName,
-                                      nil];
-
-            CFReadStreamSetProperty((CFReadStreamRef)[self readStream], 
-                                    kCFStreamPropertySSLSettings, 
-                                    (CFTypeRef)sslProperties);
-            [sslProperties release];
-        } 
-
         // Tell CFNetwork to use a client certificate
         if (clientCertificateIdentity) {
             NSMutableDictionary *sslProperties = [NSMutableDictionary dictionaryWithCapacity:1];
@@ -1243,7 +1227,39 @@ - (void)startRequest
 
             [sslProperties setObject:certificates forKey:(NSString *)kCFStreamSSLCertificates];
 
+            if ([self onlyUseTLS1]) {
+                [sslProperties setObject:(id)kCFStreamSocketSecurityLevelTLSv1 forKey:(id)kCFStreamSSLLevel];
+            }
+
             CFReadStreamSetProperty((CFReadStreamRef)[self readStream], kCFStreamPropertySSLSettings, sslProperties);
+
+        } else {
+
+            NSMutableDictionary *sslProperties = [NSMutableDictionary dictionary];
+
+            if ([self onlyUseTLS1]) {
+                [sslProperties setObject: (id)kCFStreamSocketSecurityLevelTLSv1 forKey:(id)kCFStreamSSLLevel];
+            }
+
+            // Tell CFNetwork not to validate SSL certificates
+            if (![self validatesSecureCertificate]) {
+                // see: http://iphonedevelopment.blogspot.com/2010/05/nsstream-tcp-and-ssl.html
+
+                [sslProperties setObject:[NSNumber numberWithBool:NO] forKey:(id)kCFStreamSSLValidatesCertificateChain];
+                [sslProperties setObject:(id)kCFNull forKey:(id)kCFStreamSSLPeerName];
+
+            } else {
+
+                [sslProperties setObject:(id)kCFBooleanTrue forKey:(id)kCFStreamSSLValidatesCertificateChain];
+
+            }
+
+            if ([sslProperties count] > 0) {
+                CFReadStreamSetProperty((CFReadStreamRef)[self readStream],
+                                        kCFStreamPropertySSLSettings,
+                                        (CFTypeRef)sslProperties);
+            }
+
         }
 
     }
@@ -1642,6 +1658,7 @@ - (ASIHTTPRequest *)HEADRequest
 	[headRequest setTimeOutSeconds:[self timeOutSeconds]];
 	[headRequest setUseHTTPVersionOne:[self useHTTPVersionOne]];
 	[headRequest setValidatesSecureCertificate:[self validatesSecureCertificate]];
+    [headRequest setOnlyUseTLS1:[self onlyUseTLS1]];
     [headRequest setClientCertificateIdentity:clientCertificateIdentity];
 	[headRequest setClientCertificates:[[clientCertificates copy] autorelease]];
 	[headRequest setPACurl:[self PACurl]];
@@ -4094,6 +4111,7 @@ - (id)copyWithZone:(NSZone *)zone
 	[newRequest setUseHTTPVersionOne:[self useHTTPVersionOne]];
 	[newRequest setShouldRedirect:[self shouldRedirect]];
 	[newRequest setValidatesSecureCertificate:[self validatesSecureCertificate]];
+    [newRequest setOnlyUseTLS1:[self onlyUseTLS1]];
     [newRequest setClientCertificateIdentity:clientCertificateIdentity];
 	[newRequest setClientCertificates:[[clientCertificates copy] autorelease]];
 	[newRequest setPACurl:[self PACurl]];
@@ -5085,6 +5103,7 @@ - (void)setRequestRedirectedBlock:(ASIBasicBlock)aRedirectBlock
 @synthesize updatedProgress;
 @synthesize shouldRedirect;
 @synthesize validatesSecureCertificate;
+@synthesize onlyUseTLS1;
 @synthesize needsRedirect;
 @synthesize redirectCount;
 @synthesize shouldCompressRequestBody;