Post not yet marked as solved
Looks like i have a workaround for now using the following at the beginning of the methods that shouldn't be run in extensions:
if ([[[NSBundle mainBundle] bundlePath] hasSuffix:@".appex"]) { return; // this is an app extension }
Post not yet marked as solved
Ok, I tried removing the root payload, installed it, and it would not connect 😟. Still working on how to get a mobileconfig that we can parse and and use the certificate data with NEVPNManager. Thanks!
Post not yet marked as solved
When you say "I’d recommend that you confirm that", how would I do that? If I run the following against the profile it shows information about Let's Encrypt, but maybe this isn't what you mean?openssl pkcs7 -inform DER -print_certs -in test.mobileconfig > test.pemopenssl x509 -in test.pem -noout -textI can remove the com.apple.security.root payload from the mobileconfig by hand, but I'm not sure how that helps me with NEVPNManager? I'm not actually using that section for anything in the NEVPNManager or IKEv2 parameters in code because I'm not sure where it fits. My lack of understand of certificates and chains could be causing issues here. Is there something in the pkcs12 that points to that invalid root?Edit: After looking at this more and talking to my co-worker about how the profile was created, I think we are not using Let's Encrypt the way that I originally thought. It seems Let's Encrypt basically just signed the profile that was created by AlgoVPN (after the fact). I think we still need to figure out how to create the profile with a valid certificate, which may be difficult with Algo since everything is automated and done by scripts. I think they use self-signed certs because it was designed to be a "personal" VPN. From a response to an issue on their github "They're self-signed...and the only person with the keys is you. This is the whole point of Algo -- you're the only one who gets to see your traffic."I'll try removing that root payload section, but if it helps, here's the current sample code I'm using with some things hardcoded (to values that are in the profile) and some pulled from the mobileconfig:Side note: Along the way I tried a bunch of things from various posts that may or may not not be useful. For instance, I "loadFromPreferencesWithCompletionHandler" and then "save" and then "load" again before trying to start the VPN because of comments on various forums. NSDictionary *ipdict = [NSDictionary dictionaryWithContentsOfURL:ipsecProfile]; NEVPNManager *manager = [NEVPNManager sharedManager]; manager.onDemandEnabled = YES; NSMutableArray *rules = [[NSMutableArray alloc] init]; NEOnDemandRuleConnect *connectRule = [NEOnDemandRuleConnect new]; NEOnDemandRuleDisconnect *disconnectRule = [NEOnDemandRuleDisconnect new]; [rules addObject:connectRule]; [rules addObject:disconnectRule]; NEVPNProtocolIKEv2 *protocol = [[NEVPNProtocolIKEv2 alloc] init]; protocol.authenticationMethod = NEVPNIKEAuthenticationMethodCertificate; protocol.childSecurityAssociationParameters.diffieHellmanGroup = NEVPNIKEv2DiffieHellmanGroup20; protocol.childSecurityAssociationParameters.encryptionAlgorithm = NEVPNIKEv2EncryptionAlgorithmAES256GCM; protocol.childSecurityAssociationParameters.integrityAlgorithm = NEVPNIKEv2IntegrityAlgorithmSHA512; protocol.childSecurityAssociationParameters.lifetimeMinutes = 1440; protocol.deadPeerDetectionRate = NEVPNIKEv2DeadPeerDetectionRateMedium; protocol.disableMOBIKE = NO; protocol.disableRedirect = YES; protocol.enableRevocationCheck = NO; protocol.enablePFS = YES; protocol.IKESecurityAssociationParameters.diffieHellmanGroup = NEVPNIKEv2DiffieHellmanGroup20; protocol.IKESecurityAssociationParameters.encryptionAlgorithm = NEVPNIKEv2EncryptionAlgorithmAES256GCM; protocol.IKESecurityAssociationParameters.integrityAlgorithm = NEVPNIKEv2IntegrityAlgorithmSHA512; protocol.IKESecurityAssociationParameters.lifetimeMinutes = 1440; NSArray *parray = [ipdict objectForKey:@"PayloadContent"]; NSDictionary *pcontent = parray[0]; NSDictionary *pcontent2 = parray[1]; protocol.localIdentifier = [pcontent valueForKeyPath:@"IKEv2.LocalIdentifier"]; protocol.certificateType = NEVPNIKEv2CertificateTypeECDSA384; protocol.serverCertificateIssuerCommonName = [pcontent valueForKeyPath:@"IKEv2.ServerCertificateIssuerCommonName"]; protocol.serverAddress = [pcontent valueForKeyPath:@"IKEv2.RemoteAddress"]; protocol.remoteIdentifier = [pcontent valueForKeyPath:@"IKEv2.RemoteIdentifier"]; protocol.useConfigurationAttributeInternalIPSubnet = NO; protocol.proxySettings.HTTPEnabled = NO; protocol.proxySettings.HTTPSEnabled = NO; protocol.username = [pcontent valueForKeyPath:@"UserDefinedName"]; protocol.identityDataPassword = [pcontent2 valueForKey:@"Password"]; protocol.identityData = [pcontent2 valueForKey:@"PayloadContent"]; protocol.useExtendedAuthentication = NO; protocol.disconnectOnSleep = NO; [manager loadFromPreferencesWithCompletionHandler:^(NSError *error) { if(error) { DDLogInfo(@"IPSEC loadFromPreferencesWithCompletionHandler error: %@", error.localizedDescription); return; } manager.onDemandEnabled = YES; [manager setOnDemandRules:rules]; manager.protocolConfiguration = protocol; [manager setLocalizedDescription:@"IPSEC VPN"]; [manager saveToPreferencesWithCompletionHandler:^(NSError *error) { if(error) { DDLogInfo(@"IPSEC saveToPreferencesWithCompletionHandler error: %@", error.localizedDescription); return; } [manager loadFromPreferencesWithCompletionHandler:^(NSError *error) { if(error) { DDLogInfo(@"IPSEC loadFromPreferencesWithCompletionHandler2 error: %@", error.localizedDescription); return; } NSError *startError; [manager.connection startVPNTunnelAndReturnError:&startError]; if(startError) { DDLogInfo(@"IPSEC Start error: %@", startError.localizedDescription); } }]; }]; }];
Great news! Thanks for the update!
Post not yet marked as solved
Thank you for the response and sorry for the confusion. There are two payloads in the configuration file. One PayloadType is "com.apple.security.pkcs12" and one is "com.apple.security.root".We are using an AlgoVPN server that is automatically setup with a set of scripts. If I go to manually install the mobileconfig it produces with the default setup, in the details of Settings -> Profile Downloaded, it shows two certificates and shows up as "Not Signed". It looks like the root CN is just the IP address of the server.So, we updated the server to use Let's Encrypt (or at least we tried). With the updated profile, if I manually load and then look in Settings, it shows as signed and verified. In More Details it shows two certificates (similar to the default with one of them having the IP address of the server as the CN) as well as two signing certificates (related to Let's Encrypt).In https://forums.developer.apple.com/thread/84679, you mentioned that "The profile contains a custom root certificate (a payload of type com.apple.security.root). Presumably your VPN server has a certificate issued by that custom root certificate." Our profile does have that payload type. But then you also said "If you want to continue down the NEVPNManager path you will have to get a trusted CA to issue you a certificate for your VPN server." That's what we were trying to accomplish with the updated profile. Are we still missing or misunderstanding something?
Thanks! Let us know if you hear anything back!
Post not yet marked as solved
We are seeing the same thing. Check out hubauer and Alex T's responses on https://forums.developer.apple.com/message/384064
We have the same issue but it does not seem to be solved by the fix recommended by Alex T. Has anybody else tried this?This is completely baffling. Currently running ios 13.1.2, and the primary issue is only seen on XR. I can force a crash by turning the phone to horizontal orientation right as I lock it (which causes a split screen in our app on larger phones like XR).We have noticed that when we do not allow Location (While in use), we do not get the first exception with CoreLocation. But then we get the com.apple.runningboardservices.connection.incoming or a BSXPCCNx:com.apple.frontboard.systemappservices crash. Either way, the stack trace ends in the dyld3::closure.Looking back, this didn't start when I updated to iOS 13 beta. It didn't even start when I was using the XCode 11 beta. Somewhere around the time I switched to XCode 11 it started, but we didn't notice it at first. If I load the build prior to that from TestFlight, built with XCode 11 (GM seed I think), no crash. Also, it will not crash if built/loaded from XCode (DEBUG version), but only from TestFlight or App Store.Since I know which build the crashes started with, I went back to an older commit and rebuilt source code from there. It still crashes.I removed XCode 11 entirely (and the various cached files), installed XCode 10.3 and rebuilt, but it is still crashing.I realized that I had also started a new branch right around the time it broke and added a Personal VPN entitlement in the new branch, which forced me to update my Provisioning Profile. When we noticed the crashing, I switched back to the main branch to try to fix. Completely grasping at straws by this point, just in case it mattered, I even removed the Personal VPN entitlement and deleted all old provisioning profiles. It is still crashing.I have uninstalled/reinstalled the app several times after various attempts at fixes too just in case it helped. I may open a support ticket or repost this in a different thread, but thought I'd see if anyone here tried Alex T's suggestion or tried other things that might work?I can't release our app like this, but I also currently changed the app wide Data Protection entitlement from NSFileProtectionComplete to NSFileProtectionCompleteUntilFirstUserAuthentication (which I think is default) just to see if that chagnes anything. Waiting for TestFlight to finish processing to test that.
Looks like changing the app wide Data Protection entitlement from NSFileProtectionComplete to NSFileProtectionCompleteUntilFirstUserAuthentication instead of just the temp directory worked (though more testing is needed). But that creates other issues for us. Anyone know if this is on Apple's radar?
Post not yet marked as solved
Same issue! Anyone figure this out yet?
We are seeing both of those exact same crashes on iOS 13. We are not using Firebase.
