We've been using remote push notifications from a gateway to allow us to provide auth information.
In some cases there's no sound to tell the user that a notification has arrived.
In our code we specify UNAuthorizationOptionSounds, and the notification settings on the devices are set to allow notifications and sounds for the application.
The client code hasn't changed in a couple of years, so I'm wondering whether something might have happened from the sending side. That's not my strongest area though.
Does anyone know whether there could have been a change in the call generating the push notification which cut off the sound, and where I would look for documentation on that?
Post
Replies
Boosts
Views
Activity
I've been looking at adding includeAllNetworks to our Network Extension VPN (Packet Tunnel Provider).
We do some authentication in the app and then start the VPN. All connections in the VPN extension are done by IP address, so there is no name resolution required.
The connection setup in the VPN extension involves some HTTP GETS & responses. I'm seeing a couple of problems.
It looks like includeAllNetworks has to be set on the VPN configuration when it's defined. Is that correct? When I try setting it at other points, either in the NEPacketTunnelProvider protocolConfiguration or in the NEVPNManager protocol configuration it has no effect. The protocol itself appears to be inaccessible.
When I set it in the NEVPNManager's protocolConfiguration before I start the connection it shows includeAllNetworks as set, but when I start the connection the nesessionmanager debug output shows that it's not set in the protocol and it's not in effect.
Is there any way to set this on-the-fly? In our particular VPN interaction the Gateway tells the VPN client whether it wants the client to use includeAllNetworks, so we can't just hard-code it.
When I do set this in the VPN configuration I can't reach the Gateway. I see that the nesessionmanager shows it as set, but the initial URLSession call gets a .cfurlErrorNotConnectedToInternet result in didCompleteWithError. I've verified that the URI specifies an IP address, not as a hostname, so for example https://10.0.1.10/someapi
There is no network traffic after I start the connection until the connection fails, and transitions from Connecting to Disconnecting. (well, except for things like MDNS and a couple of others that aren't blocked by the setting)
Since I'm connecting by IP address I'd expect that this would work.
In the console I see
default 13:42:57.476293-0700 VPNExtension [C10 Hostname#0a01000a:443 failed path (unsatisfied (Path was denied by NECP policy), interface: en0, ipv4)] event: null:null @4.222s
I haven't seen any good examples of VPN setup with the new flags, and the documentation is frustratingly vague. Are there any good resources for this?
Kevin
We define an event handler for OpenURL
NSAppleEventManager *appleEventManager = [NSAppleEventManager sharedAppleEventManager];
[appleEventManager setEventHandler:self
andSelector:@selector(handleGetURLEvent:withReplyEvent:)
forEventClass:kInternetEventClass andEventID:kAEGetURL];
And we handle it here:
(void)handleGetURLEvent:(NSAppleEventDescriptor *)event
withReplyEvent:(NSAppleEventDescriptor *)replyEvent
{
// Handler type stuff
}
If I'm debugging in Xcode, I see a SIGCONT before the handler is called. When I continue from the SIGCONT, I enter the handler and everything is fine.
This causes automated tests to break, and is generally a pain in the you-know-where. Outside of Xcode it's fine.
How can I make it stop doing this? Is there some Xcode setting I've overlooked?
I'm using a URLSession, and want to be able to identify the case when I have a bad client certificate.
When I get a call to
func urlSession(_ session:didReceive challenge:completionHandler)
and send a bad certificate in response to the client cert challenge, I would expect an error of
.cfurlErrorClientCertificateRejected
In
func urlSession(_ session: task:didCompleteWithError error:)
What I'm seeing instead is the generic
.cfurlErrorSecureConnectionFailed
When I was using the SSL APIs directly I was getting back
errSSLPeerUnknownCA or errSSLPeerBadCert
Which makes it clear where the problem lies. Is there a way to see that it was specifically a problem with the client certificate using the URLSession delegates?
We have a Network Extension app (packet_tunnel), and the development profile has multiple hardware IDs, certs etc.
If I build the app on one system and try to run it on a different macOS system which is in the profile I get an initial Gatekeeper error (as expected). I then approve the app to run anyway.
It runs, and when I connect to a VPN from that system the VPN extension is loaded, but then exits without calling the entry point.
My understanding is that signature verification is done *before* the binary is loaded, so if I'm seeing code in VPN extension writing to a log file, I know the signing as been checked & passed.
The class initializer for PacketTunnelProvider runs.
There's log output from the class initializer, so we know that the VPN extension has been loaded successfully
The entry point (startTunnelWithOptions:completionHandler:) is never called
The VPN extension exits
There's no crash log
On some systems it works fine, and the VPN is fine
We initially thought it was a signing problem, but since the binary is loading and running that's really looking like a red herring at the moment.
I'm trying to make sure that we're using the most up-to-date networking code on Apple platforms, and generally moving away from BSD sockets.
This is fine for HTTP get <-> response exchanges (URLSession), and for TCP,TLS,UDP,DTLS etc. connections (NWConnection variants).
I see nothing other than sockets for handling ICMP though. Is this true, or is there some API which I've missed that would let me deal with ICMP without using BSD sockets?
In our Network Extension we're trying to use URLSession for setting up a connection using a series of HTTP exchanges.
I see an HTTP response in Wireshark which has multiple
Set-Cookie
headers, but only the last one shows up in the HTTPURLReponse.
Traffic on the wire:
Set-Cookie: ABC_COOKIE=2000;Path=/;Secure
Set-Cookie: XYZ_COOKIE=tuv;Path=/;expires=<somedate>;Secure
Set-Cookie: foo=bar;Secure;Path=/;expires=<somedate>
Value in HTTPURLResponse.allHeaderFields:
"Set-Cookie" =&#9;"foo=bar;Secure;Path=/;expires=<somedate>"
No sign of the other cookie values. I've seen comments on the web that the cookies in multiple Set-Cookie headers will be concatenated into a single header, but that's not at all what I'm seeing.
Is there a way to access the other cookie values? If not, how can we use URLSession with an endpoint that will return multiple Set-Cookie headers?
I'm seeing a released macOS App Store app crashing with a code signing error.
This isn't a beta app, it's been signed by Apple and is available on the App Store.
On most systems it installs and runs fine (macOS 10.15, macOS 11 on Intel, macOS 11 on Apple Silicon etc.), but on 10.13 we see a code signing error.
This is a Network Extension app. It crashes as soon as the mgmt app is opened, before any load is tried on the Extension.
We haven't been able to determine whether this error is widespread or not, but it seems like something that should never be happening with an App Store installed app.
The app was uninstalled and reinstalled from scratch, and the error persisted, and the MacBook Pro was rebooted. Still happened.
Any ideas? The existing discussions around this error were for beta/development builds, which isn't applicable here.
================================
Process: Citrix SSO [1388]
Path: /Applications/Citrix SSO.app/Contents/MacOS/Citrix SSO
Identifier: com.citrix.NetScalerGateway.macos.app
Version: ???
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Citrix SSO [1388]
User ID: 501Date/Time: 2020-11-19 16:54:56.702 +0530
OS Version: Mac OS X 10.13.6 (17G65)
Report Version: 12
Anonymous UUID: D25619E7-F0CC-9BAE-9B9A-57B8890496EE
[16:55] Process: Citrix SSO [1410]
Path: /Applications/Citrix SSO.app/Contents/MacOS/Citrix SSO
Identifier: com.citrix.NetScalerGateway.macos.app
Version: ???
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Citrix SSO [1410]
User ID: 501Date/Time: 2020-11-19 16:55:27.250 +0530
OS Version: Mac OS X 10.13.6 (17G65)
Report Version: 12
Anonymous UUID: D25619E7-F0CC-9BAE-9B9A-57B8890496EETime Awake Since Boot: 2000 secondsSystem Integrity Protection: enabledCrashed Thread: 0Exception Type: EXCCRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXCCORPSENOTIFYTermination Reason: Namespace CODESIGNING, Code 0x1kernel messages:VM Regions Near 0 (cr2):->
TEXT 000000010d2b9000-000000010d644000 [ 3628K] r-x/r-x SM=COWThread 0 Crashed:
0 ??? 0x00000001184e819c dyldstart + 0Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffee2946c18
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x00000001184e819c rfl: 0x0000000000000200 cr2: 0x0000000000000000Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0Binary Images:
0x10d2b9000 - 0x10d643fef +??? (0) <45E0CE2B-93E3-360D-9CFF-6C4B8DEB6BA3> (null)
0x1184e7000 - 0x118531acf +??? (551.4) <8A72DE9C-A136-3506-AA02-4BA2B82DCAF3> (null)External Modification Summary:
Calls made by other processes targeting this process:
taskforpid: 0
threadcreate: 0
threadsetstate: 0
Calls made by this process:
taskforpid: 0
threadcreate: 0
threadsetstate: 0
Calls made by all processes on this machine:
taskforpid: 1764
threadcreate: 0
threadsetstate: 0VM Region Summary:
ReadOnly portion of Libraries: Total=4384K resident=0K(0%) swappedoutorunallocated=4384K(100%)
Writable regions: Total=8444K written=0K(0%) resident=0K(0%) swappedout=0K(0%) unallocated=8444K(100%) VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
STACK GUARD 56.0M 2
Stack 8192K 2
_DATA 1184K 5
LINKEDIT 456K 3
LLVMCOV 204K 2
_TEXT 3928K 3
shared memory 8K 3
=========== ======= =======
TOTAL 69.6M 13Model: MacBookPro11,1, BootROM 156.0.0.0.0, 2 processors, Intel Core i5, 2.4 GHz, 8 GB, SMC 2.16f68
Graphics: Intel Iris, Intel Iris, Built-In
Memory Module: BANK 0/DIMM0, 4 GB, DDR3, 1600 MHz, 0x02FE, -
Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1600 MHz, 0x02FE, -
AirPort: spairportwirelesscardtypeairportextreme (0x14E4, 0x112), Broadcom BCM43xx 1.0 (7.77.37.31.1a9)
Bluetooth: Version 6.0.7f10, 3 services, 18 devices, 1 incoming serial ports
Network Service: Wi-Fi, AirPort, en0
Serial ATA Device: APPLE SSD SD0256F, 251 GB
USB Device: USB 3.0 Bus
USB Device: Apple Internal Keyboard / Trackpad
USB Device: BRCM20702 Hub
USB Device: Bluetooth USB Host Controller
Thunderbolt Bus: MacBook Pro, Apple Inc., 17.2
We have a protocol between our client and our server which Creates a TLS connection
Does an HTTP get/response on the connection, where the HTTP headers are specifying characteristics of the session
Sends and receives arbitrary amounts of streaming data on the connection
Some characteristics of the connection code are None of the data after the initial get/response has any HTTP framing at all.
Data has to be using the same TCP connection as the initial HTTP exchange
Common code for iOS/macOS.
Usable from a Network Extension
The original code uses a whole bunch of CF*, including CFHttpMessage, and BSD sockets for the raw connection. It was from quite a while back. For backwards compatibility reasons we couldn't switch to the Network framework or to the NSURLConnection/Session APIs.
It looks like we have a chance to update our networking, but from my initial reading it looks like the NSURLSessionStreamTask doesn't handle the initial HTTP exchange we need, and the NSURLSession variants that *do* do an initial HTTP exchange aren't really streaming data without framing later.
Q1: Are there APIs that can handle the initial HTTP exchange without assuming they control the whole connection? I.e., handle the HTTP parsing & logic, but over a connection that we've set up separately?
Q2: Is there a way to make the upload/download tasks act as a raw data stream?
Q3: Any other ideas about how to address this particular problem?
WebSockets, or any other solution that requires a server-side change is a non-starter for us...
Using the Network framework as a BSD sockets replacement gets us part way there, but we're still relying on CF functions for some HTTP functionality.
We have an NKE which uses some of the sock_* interfaces, which are on the deprecated list.
It sure sounded like Apple was going to kill these in Big Sur, yet our NKE installs, loads, and runs in the released build of the macOS 11.
Does anyone know which interfaces *are* being killed off in Big Sur? We've spread the news that customers have to migrate away from the NKE version of our product to a more recent version, but a more definite timeframe would help.
I've got an old app that I'm looking at (XIB interface) which calls these functions:
ProcessSerialNumber psn = { 0, kCurrentProcess };
TransformProcessType(&psn, kProcessTransformToForegroundApplication);
SetSystemUIMode(kUIModeNormal, 0);
If I remove these calls, the application menu doesn't show up at all. With these calls in, the menu bar doesn't respond until the app leaves the foreground and then becomes active again.
I created a new XIB-based app and compared the AppDelegate and raw XIB code to what's in the older app, and they look the same, but the newer app's menus work fine without the above calls.
Of what are these calls a legacy, and does anyone know what changes can be made to get rid of them?
I've noticed that the OS stops consulting the VPN extension for DNS after a delayed response.We want to use split-tunnel, but handle all of the DNS. We have our DNS settings for our Packet Tunnel Provider set as described here:https://forums.developer.apple.com/message/122209#122209With an empty match domain. That works Ok, but if we receive any significantly (~3 seconds) delayed response to a DNS query the OS starts sending all DNS queries out the wireless interface instead of over the VPN.It doesn't try again right away, but continues to use the wireless interface instead of the VPN interface. It will try again at intervals and things can recover, but this causes serious issues for the VPN.Does anyone know of a way to tweak the settings that determine when the system falls back to the system DNS resoluton instead of the VPN DNS resolution, and how it retries?We have to support macOS versions older than 10.15, so we can't use the DNS proxy provider.Kevin
We have an SSL VPN app. (NEPacketTunnelProvider)Per-app VPN with certificate authentication works when the device is enrolled with Device Enrollment. When the MDM uses User Enrollment the certificate isn't found in the keychain.- The certificate appears in the Management Profile details on the iOS device.- There is an identityReference in the VPN configuration profile.- The profile is correctly associated with the provider, and when the app starts the VPN extension starts and attemps authentication.- SecItemCopyMatching finds nothing in the keychain.Any ideas on this? Kevin
I have an XCTest case which is trying to enter text into a text field.let app = XCUIApplication()
let query = app.tables
query.staticTexts[“New..."].tap()
let serverAddress = query.cells.containing(.cell, identifier:"serverTableViewCell").textFields.element
if serverAddress.exists {
serverAddress.tap()
serverAddress.typeText(server)
}This has to run on a physical device, because the application is a Network Extension VPN.It generally works fine, but every now and then it starts failing. When it fails everything looks like it's succeeding.I can find the fieldI can tap on the field, and I see the text cursorI can call typeText()No errors, messages, informative output... But nothing appears in the text field.This appears to happen after there's been some sort of system dialog on the device (not entirely sure it's related, but the correlation is strong) but even once that dialog is gone the test continues to fail.Things are complicated because the device is in the office--and we aren't allowed to go into the office at the moment. I can't re-start the device, because I'm pretty sure that will require physical presence at the device to unlock it again.I *can* alter settings on the device using teh XCTest interfaces to control System Settings. I tried disabling all notifications, but things are still failing.I saw a similar question with the same symptoms, but it was on a simulator, and the solution was to reset the simulator. Not an option in this case: https://forums.developer.apple.com/thread/125010Is it possible that once the system dialog/alert/notification is apparently gone that it's still hogging keyboard input? If that is the case, anyone know how I could clear it? Without being physically present at the device?Any other suggestions would be great.
We moved our macOS NKE-based VPN over to Network Extensions a while back. Although Network Extensions offered us less control over the system traffic it also let us have a single code base for the core functionality on iOS & macOS, as well as offering the possibilty of MDM.The talk on Network Extensions for Modern macOS offered us some of the control back. The includeAllNetworks and excludeLocalNetworks flags are great to see. But, the title of the talk said 'for Modern macOS', so:- Are they only on macOS, or are the Network Extension parts of that talk also applicable to iOS?- Will those Network Extension flags function if the user is running macOS Mojave?- iOS 12?Or are they only going to work on Cataline/iOS13 and later?Users do tend to upgrade their macOS & iOS versions, but corporate customers upgrade slowly, and they're our market.One abillity of NKEs that we lost with Network Extensions was the ability to do an 'Always On' VPN which made sure that all traffic from the system was tunneled. Because we could make the NKE load at boot time there was no user dependency. It doesn't sound like this is going to be possible even with the current changes.The talk referred to Driver Extensions as user-independent, and providing something available at the system level, but not Network Extensions. Is that the case?Kevin