TLS/SSL

The XMPPStream automatically uses TLS if it is required by a XMPP Server. To start TLS regardless of whether it is optional or required by a XMPP server, set the startTLSPolicy property on XMPPStream to XMPPStreamStartTLSPolicyRequired

xmppStream.startTLSPolicy = XMPPStreamStartTLSPolicyRequired;

Security Settings

Immediately prior to the stream being secured via TLS/SSL the xmppStream:willSecureWithSettings: method is called, to manually evaluate the connection GCDAsyncSocketManuallyEvaluateTrust must be added to the settings with a value of @(YES)

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
  settings[GCDAsyncSocketManuallyEvaluateTrust] = @(YES);
}

Then in the delegate method xmppStream:didReceiveTrust:completionHandler:, you can use SecTrustEvaluate (and related functions) to properly validate the peer.

- (void)xmppStream:(XMPPStream *)sender 
   didReceiveTrust:(SecTrustRef)trust
 completionHandler:(void (^)(BOOL shouldTrustPeer))completionHandler
{
  completionHandler(YES);
}

Cipher Suites

This is an advanced setting, do not set this unless you understand the consequences.

To set the supported Cipher Suites, set the GCDAsyncSocketSSLCipherSuites to an array of NSNumber each of which represents a SSLCipherSuite:

- (void)xmppStream:(XMPPStream *)sender willSecureWithSettings:(NSMutableDictionary *)settings
{
  NSMutableArray *cipherSuites = [NSMutableArray array];
  size_t numberOfCiphers = 0;

  SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
  SSLGetNumberSupportedCiphers(sslContext, &numberOfCiphers);

  SSLCipherSuite ciphers[numberOfCiphers];

  SSLGetSupportedCiphers(sslContext, ciphers, &numberOfCiphers);

  for (NSUInteger index = 0; index < numberOfCiphers; index++) 
  {
    NSNumber *cipher = [NSNumber numberWithUnsignedShort:ciphers[index]];
    [cipherSuites addObject:cipher];
  }

  [settings setObject:cipherSuites forKey:GCDAsyncSocketSSLCipherSuites];
}