FB14432734

@smisiewicz Did you find a solution for this. We are also facing similar issue on iOS 16 and iOS 17.

@eskimo , I have already filed a bug with bug number: FB13678215 But I am not hearing back anything there. Please suggest the next steps

Hi @eskimo , Please refer this https://developer.apple.com/forums/thread/747963?login=true&page=1#784413022

@eskimo , any updates on this?

@eskimo , We could see this issue with older iOS version too whenever the below Tunnel provider configuration is saved to NETunnelProviderManager preferences before calling startTunnelWithOptions tunnelProvider.protocolConfiguration.includeAllNetworks = NO; tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; tunnelProvider.protocolConfiguration.enforceRoutes = YES; Issue: when we are trying to access excludedRoute's IP [10.168.10.182 and 192.168.10.65] , it's getting tunnelled because of that few of our APIs are sending failure and we are unable to connect to VPN. Expected Results : excludedRoutes IPs should go via physical interface. STEPS TO REPRODUCE Configure VPN packet tunnel provider config as mentioned above and add some IPs in excludeRoutes Save the configuration to NETunnelProviderManager preferences using “saveToPreferencesWithCompletionHandler” Try to connect to VPN Denied resources are tunneled via VA NOTE: This behavior is not seen with split tunnel endpoint routes where the tunnel provider configuration is tunnelProvider.protocolConfiguration.includeAllNetworks = NO; tunnelProvider.protocolConfiguration.excludeLocalNetworks = YES; tunnelProvider.protocolConfiguration.enforceRoutes = NO; Hope this clarifies the issue @eskimo

Thanks @eskimo for clarifying this. @eskimo Please one more quick question. I am trying to restrict my search to only system keychain using kSecMatchSearchList which requires an array of secKeychainRef. Now to retrieve SecKeychainRef of system keychain(/Library/Keychains/System.keychain , all of the APIs are deprecated. Could you please provide a sample code with non-deprecated APIs to retrieve SecKeychainRef of system keychain. SecKeychainOpen("/Library/Keychains/System.keychain", &keychain); SecKeychainCopyDomainSearchList(kSecPreferencesDomainSystem, &keychain)

I used this command - security list-keychains I have access to the keychain

@eskimo, Not in the context to previous question, My question is -> To use attributes like kSecMatchSearchList, kSecUseKeychain -> How to fetch the right keychains (be it system or login) reference? All APIs(SecKeychainCopyDomainSearchList, SecKeychainGetPath, SecKeychainOpen) to achieve that seems to be deprecated. Also, In the document tn3137, It's mentioned Queries, like those done using SecItemCopyMatching, consult all keychains in the search list. Use kSecMatchSearchList to override this., Just to clarify on this does that mean it targets all the keychains present in your system, or by search list it means there is a search list we provide in secItemCopyMatching dictionary? @eskimo, Please clarify above queries, It will be of big help.

Thanks @eskimo for the valuable links. I went through them. But as I have mentioned, my query is when I remove kSecAttrProtocol constraint, I get the below output as one the attribute in result ref. kSecAttrProtocol : htpx But when I add that in constraint, I recieve item not found. NSString *account = @"user"; NSString *server = @"w.x.y.z"; SecProtocolType protocol = kSecProtocolTypeHTTPProxy; NSDictionary *query = @{ (__bridge id)kSecClass: (__bridge id)kSecClassInternetPassword, (__bridge id)kSecAttrAccount: account, (__bridge id)kSecAttrServer: server, (__bridge id)kSecAttrProtocol:@(protocol), (__bridge id)kSecReturnAttributes: (__bridge id)kCFBooleanTrue, (__bridge id)kSecReturnData: (__bridge id)kCFBooleanFalse, (__bridge id)kSecMatchLimit: (__bridge id)kSecMatchLimitOne }; CFDictionaryRef result = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&result); if (status == errSecSuccess) { NSDictionary *passwordItem = CFBridgingRelease(result); NSLog(@"Internet Password Item Found:"); } else if (status == errSecItemNotFound) { NSLog(@"Internet Password Item Not Found"); } else { NSLog(@"Error retrieving Internet password: %d (%@)", (int)status, CFBridgingRelease(SecCopyErrorMessageString(status, NULL))); }

@eskimo , I need an individual certificate trust status. How can I get that?

@eskimo , Thank you for the information. One more quick question, In the above documentation, It is mentioned that File-based keychains are stored, as the name suggests, in files. Every context has a keychain search list and a default keychain. In a user context the search list includes a per-user login keychain and a single System keychain, with the former being the default. In the system context the search list includes just the System keychain, which is also the default keychain. When using the SecItem API to target the file-based keychain: SecItemAdd adds the item to the default keychain. Use kSecUseKeychain to override this. Queries, like those done using SecItemCopyMatching, consult all keychains in the search list. Use kSecMatchSearchList to override this. So to use attributes like kSecMatchSearchList, kSecUseKeychain -> How to fetch the right keychains (be it system or login) reference? Thanks in advance.

@eskimo I went through TN3137 On Mac keychain APIs and implementations . I could not completely understand the difference between file based keychain and data protection keychain. Could you please help.

I misread the link I shared. Bundle.main.appStoreReceiptURL?.lastPathComponent == "sandboxReceipt"  returns true for debug build and testflight build both. But return false for the App Store build. Thanks!