TLS For Accessory Developers: does it work for non-local network?

I'm following the approach in https://developer.apple.com/forums/thread/703234 section "Doing Even Better: Proper Security".

My question is: does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

I tried and: SecTrustEvaluateWithError(trust, nil) returns true, but TLS still fails:

ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)

<snip>

Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,

Here is my code :

        var err = SecTrustSetPolicies(trust, SecPolicyCreateBasicX509())
        os_log("SecTrustSetPolicies returns \(err)")
        err = SecTrustSetAnchorCertificates(trust, [self.myCA] as NSArray)
        os_log("SecTrustSetAnchorCertificates returns \(err)")
        err = SecTrustSetAnchorCertificatesOnly(trust, true)
        os_log("SecTrustSetAnchorCertificatesOnly returns \(err)")

        // check the trust object
        let evalResult = SecTrustEvaluateWithError(trust, nil)
        os_log("SecTrust eval result: \(evalResult)")
        
        // create a credential with accepted server trust.
        let credential = URLCredential(trust: trust)
        completionHandler(.useCredential, credential)

the logs are:

SecTrustSetPolicies returns 0
SecTrustSetAnchorCertificates returns 0
SecTrustSetAnchorCertificatesOnly returns 0
SecTrust eval result: true

Did I do anything wrong? or is it not supported outside the local network?

Thanks.

Up vote post of keepsimple Down vote post of keepsimple
288 views
Posted by
keepsimple
Reply

  • Another question I have is: based on NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway? , can I opt to connect to the server anyway programmatically?

    keepsimple
Add a Comment

Accepted Reply

does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

Sure. There’s nothing specific to the local network about that technique.

One thing to be careful of here is ATS, which has different options for disabling it locally versus non-locally. And this log message:

ATS failed system trust

suggests that you do indeed have an ATS issue.

can I opt to connect to the server anyway programmatically?

Yes. But you need to disable ATS and you need to override the default server trust evaluation done by URLSession.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks! Just to confirm, adding NSAppTransportSecurity group then add NSAllowsArbitraryLoads=YES key to property list helped!

    keepsimple
Add a Comment

Replies

does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

Sure. There’s nothing specific to the local network about that technique.

One thing to be careful of here is ATS, which has different options for disabling it locally versus non-locally. And this log message:

ATS failed system trust

suggests that you do indeed have an ATS issue.

can I opt to connect to the server anyway programmatically?

Yes. But you need to disable ATS and you need to override the default server trust evaluation done by URLSession.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Thanks! Just to confirm, adding NSAppTransportSecurity group then add NSAllowsArbitraryLoads=YES key to property list helped!

    keepsimple
Add a Comment