I am setting the MTU to 1500, but I think that only affects writes

Thanks Matt. I have a pared down sample project that demonstrates the condition. I am going to submit a TSI this morning. I will have a private repo on github containing the project. Can you give me a github username to invite for access to the repo?

Thanks Matt - yeah, this stuff is kinda black magic to me. I saw the empty policy array and didn't understand it, so I thought it just needed to be there. Do I need different policies for using an IP or for using a domain? Are there any good examples of how/why to use policies with the trust?

And this is the success case when using the IP in the url. Everything else is the same, code & cert-wise. default 09:49:16.792469-0600 XCtests-Dummy-Host Connection 4: asked to evaluate TLS Trust default 09:49:16.792756-0600 XCtests-Dummy-Host TLS Challenge: method to authenticate is: NSURLAuthenticationMethodServerTrust default 09:49:16.792927-0600 XCtests-Dummy-Host testing server default 09:49:16.801076-0600 XCtests-Dummy-Host Connection 4: TLS Trust result 0 default 09:49:16.801112-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async_external_block_invoke_3(1451) [C4:2][0x7fac4b00f2f0] Returning from external verify block with result: true default 09:49:16.801148-0600 XCtests-Dummy-Host boringssl_context_certificate_verify_callback(1609) [C4:2][0x7fac4b00f2f0] Certificate verification result: OK default 09:49:16.801326-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client read_server_finished default 09:49:16.801398-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client send_end_of_early_data default 09:49:16.801429-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client send_client_certificate default 09:49:16.801503-0600 XCtests-Dummy-Host boringssl_context_certificate_request_callback(1562) [C4:2][0x7fac4b00f2f0] Asyncing for challenge block default 09:49:16.801589-0600 XCtests-Dummy-Host boringssl_context_certificate_request_callback(1562) [C4:2][0x7fac4b00f2f0] Asyncing for challenge block default 09:49:16.801708-0600 XCtests-Dummy-Host Connection 4: asked for TLS Client Certificates

Ok, so I'm seeing "MissingIntermediate(leaf)" only when using the domain URL. This is the failure case when using the domain in the url: default 09:59:21.541985-0600 XCtests-Dummy-Host Connection 3: enabling TLS default 09:59:21.542007-0600 XCtests-Dummy-Host Connection 3: starting, TC(0x0) default 09:59:21.542031-0600 XCtests-Dummy-Host [C3 2B3E4133-E9E7-4AE3-A31B-56C90388F49F test.iwins.kyrio.com:9443 tcp, url hash: 153e2ccd, tls, context: com.apple.CFNetwork.NSURLSession.{91028BB7-8613-4AB0-9E60-9B7553A0DC92}{(null)}{Y}{2}, proc: BEEF2622-1A02-341A-A97E-9F77BBB13DBE] start default 09:59:21.542071-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 initial path ((null))] event: path:start @0.000s default 09:59:21.542335-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 waiting path (satisfied (Path is satisfied), interface: en5)] event: path:satisfied @0.000s, uuid: AF5E4168-4F47-4B99-A484-4A081223C92F default 09:59:21.542639-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:start_dns @0.000s default 09:59:21.542685-0600 XCtests-Dummy-Host nw_connection_report_state_with_handler_on_nw_queue [C3] reporting state preparing default 09:59:21.543358-0600 XCtests-Dummy-Host Task C39EAD13-8E45-4227-896A-586B12BA7969.1 setting up Connection 3 default 09:59:21.544702-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:receive_dns @0.002s default 09:59:21.544841-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 initial path ((null))] event: path:start @0.002s default 09:59:21.545171-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 waiting path (satisfied (Path is satisfied), interface: en5)] event: path:satisfied @0.003s, uuid: E3CD1BD5-256A-4E6E-9E1E-A29F976ACEAD default 09:59:21.545947-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] event: flow:start_connect @0.003s default 09:59:21.583422-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:receive_dns @0.041s default 09:59:21.598275-0600 runningboardd Invalidating assertion 42771-30114-20288 (target:[applicationcom.cablelabs.XCtests-Dummy-Host:30114]) from originator [applicationcom.cablelabs.XCtests-Dummy-Host:30114] default 09:59:21.614116-0600 XCtests-Dummy-Host nw_socket_handle_socket_event [C3.1:3] Socket received CONNECTED event default 09:59:21.614617-0600 XCtests-Dummy-Host nw_flow_connected [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] Transport protocol connected default 09:59:21.615010-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] event: flow:finish_transport @0.072s default 09:59:21.615104-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: flow:finish_transport @0.073s default 09:59:21.615765-0600 XCtests-Dummy-Host boringssl_session_apply_protocol_options_for_transport_block_invoke(1689) [C3.1:2][0x7fd994007720] TLS configured [min_version(0x0303) max_version(0x0304) name(test.iwins.kyrio.com) tickets(false) false_start(false) enforce_ev(false) enforce_ats(false)] default 09:59:21.615888-0600 XCtests-Dummy-Host boringssl_context_info_handler(1821) [C3.1:2][0x7fd994007720] Client handshake started default 09:59:21.616031-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS client enter_early_data default 09:59:21.616127-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS client read_server_hello default 09:59:21.687233-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_hello_retry_request default 09:59:21.687321-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_hello default 09:59:21.687553-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_encrypted_extensions default 09:59:21.687627-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_certificate_request default 09:59:21.687697-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_certificate default 09:59:21.687946-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_certificate_verify default 09:59:21.688132-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async(1510) [C3.1:2][0x7fd994007720] Performing external trust evaluation default 09:59:21.688226-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async_external(1495) [C3.1:2][0x7fd994007720] Asyncing for external verify block default 09:59:21.688361-0600 XCtests-Dummy-Host Connection 3: asked to evaluate TLS Trust default 09:59:21.688733-0600 XCtests-Dummy-Host TLS Challenge: method to authenticate is: NSURLAuthenticationMethodServerTrust default 09:59:21.688935-0600 XCtests-Dummy-Host testing server default 09:59:21.689085-0600 XCtests-Dummy-Host container_create_or_lookup_app_group_path_by_app_group_identifier: success default 09:59:21.697484-0600 runningboardd Attempting to rename power assertion 33826 for target applicationcom.cablelabs.XCtests-Dummy-Host to applicationcom.cablelabs.XCtests-Dummy-Host42771-42897-20285:Developer testing(BackgroundUI) default 09:59:21.697494-0600 runningboardd Calculated state for applicationcom.cablelabs.XCtests-Dummy-Host: running-active (role: UserInteractiveNonFocal) default 09:59:21.699529-0600 XCtests-Dummy-Host Task C39EAD13-8E45-4227-896A-586B12BA7969.1 auth completion disp=0 cred=0x600001c182e0 default 09:59:21.703618-0600 trustd cert[1]: MissingIntermediate =(leaf)[force] 0 default 09:59:21.704066-0600 XCtests-Dummy-Host Trust evaluate failure: [root MissingIntermediate] default 09:59:21.704113-0600 XCtests-Dummy-Host System Trust Evaluation yielded status(-9802)

I'm wondering if there is some low level trace logging I can enable to see WHY the app isn't happy with the cert when using the domain url?

Much more in the log file that I can post, wouldn't fit in the original post.

Excellent. One problem was that in the callers module where I was trying to create NWEndPoint.*, I was importing NetworkExtension instead of Network

Under Window->Devices and Simulators->(your device) you'll probably see a bunch of warnings: Domain: com.apple.dtdevicekit Code: 601 Recovery Suggestion: To run on this device, please update to a version of Xcode that supports iOS 14.2. You can download Xcode from the Mac App Store or the Apple Developer website. I installed the latest Xcode (12.2) - twice (4 hours) - the first time failed because Xcode was still open, and somehow could not resume. But now it is all working again. At least it didn't force me to upgrade to Big Sur first! I'll bet Xcode 13 will though - beware.

I also cannot find the keychain access groups entitlement on the website. I am trying to build the SimpleTunnel example (Network Extensions). I have gone through the usual steps of creating a new appID/bundle identifier and creating a new provisioning certificate. Also creating a new app group, etc. I am down to one last error on the FilterDataProvider, FilterControlProvider and the AppProxy targets. Each has the same error: "Provisioning profile "Simple Tunnel" doesn't match the entitlements file's value for the keychain-access-groups entitlement." In the Developer Portal, I cannot find anywhere to enable this entitlement, either in the AppID section or the Profile section.