I also cannot find the keychain access groups entitlement on the website. I am trying to build the SimpleTunnel example (Network Extensions). I have gone through the usual steps of creating a new appID/bundle identifier and creating a new provisioning certificate. Also creating a new app group, etc. I am down to one last error on the FilterDataProvider, FilterControlProvider and the AppProxy targets. Each has the same error: "Provisioning profile "Simple Tunnel" doesn't match the entitlements file's value for the keychain-access-groups entitlement."
In the Developer Portal, I cannot find anywhere to enable this entitlement, either in the AppID section or the Profile section.
Post
Replies
Boosts
Views
Activity
Under Window->Devices and Simulators->(your device) you'll probably see a bunch of warnings:
Domain: com.apple.dtdevicekit
Code: 601
Recovery Suggestion: To run on this device, please update to a version of Xcode that supports iOS 14.2. You can download Xcode from the Mac App Store or the Apple Developer website.
I installed the latest Xcode (12.2) - twice (4 hours) - the first time failed because Xcode was still open, and somehow could not resume. But now it is all working again. At least it didn't force me to upgrade to Big Sur first! I'll bet Xcode 13 will though - beware.
Excellent. One problem was that in the callers module where I was trying to create NWEndPoint.*, I was importing NetworkExtension instead of Network
Much more in the log file that I can post, wouldn't fit in the original post.
I'm wondering if there is some low level trace logging I can enable to see WHY the app isn't happy with the cert when using the domain url?
Ok, so I'm seeing "MissingIntermediate(leaf)" only when using the domain URL. This is the failure case when using the domain in the url:
default 09:59:21.541985-0600 XCtests-Dummy-Host Connection 3: enabling TLS
default 09:59:21.542007-0600 XCtests-Dummy-Host Connection 3: starting, TC(0x0)
default 09:59:21.542031-0600 XCtests-Dummy-Host [C3 2B3E4133-E9E7-4AE3-A31B-56C90388F49F test.iwins.kyrio.com:9443 tcp, url hash: 153e2ccd, tls, context: com.apple.CFNetwork.NSURLSession.{91028BB7-8613-4AB0-9E60-9B7553A0DC92}{(null)}{Y}{2}, proc: BEEF2622-1A02-341A-A97E-9F77BBB13DBE] start
default 09:59:21.542071-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 initial path ((null))] event: path:start @0.000s
default 09:59:21.542335-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 waiting path (satisfied (Path is satisfied), interface: en5)] event: path:satisfied @0.000s, uuid: AF5E4168-4F47-4B99-A484-4A081223C92F
default 09:59:21.542639-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:start_dns @0.000s
default 09:59:21.542685-0600 XCtests-Dummy-Host nw_connection_report_state_with_handler_on_nw_queue [C3] reporting state preparing
default 09:59:21.543358-0600 XCtests-Dummy-Host Task C39EAD13-8E45-4227-896A-586B12BA7969.1 setting up Connection 3
default 09:59:21.544702-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:receive_dns @0.002s
default 09:59:21.544841-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 initial path ((null))] event: path:start @0.002s
default 09:59:21.545171-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 waiting path (satisfied (Path is satisfied), interface: en5)] event: path:satisfied @0.003s, uuid: E3CD1BD5-256A-4E6E-9E1E-A29F976ACEAD
default 09:59:21.545947-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] event: flow:start_connect @0.003s
default 09:59:21.583422-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: resolver:receive_dns @0.041s
default 09:59:21.598275-0600 runningboardd Invalidating assertion 42771-30114-20288 (target:[applicationcom.cablelabs.XCtests-Dummy-Host:30114]) from originator [applicationcom.cablelabs.XCtests-Dummy-Host:30114]
default 09:59:21.614116-0600 XCtests-Dummy-Host nw_socket_handle_socket_event [C3.1:3] Socket received CONNECTED event
default 09:59:21.614617-0600 XCtests-Dummy-Host nw_flow_connected [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] Transport protocol connected
default 09:59:21.615010-0600 XCtests-Dummy-Host [C3.1 18.210.100.18:9443 in_progress socket-flow (satisfied (Path is satisfied), interface: en5)] event: flow:finish_transport @0.072s
default 09:59:21.615104-0600 XCtests-Dummy-Host [C3 test.iwins.kyrio.com:9443 in_progress resolver (satisfied (Path is satisfied), interface: en5)] event: flow:finish_transport @0.073s
default 09:59:21.615765-0600 XCtests-Dummy-Host boringssl_session_apply_protocol_options_for_transport_block_invoke(1689) [C3.1:2][0x7fd994007720] TLS configured [min_version(0x0303) max_version(0x0304) name(test.iwins.kyrio.com) tickets(false) false_start(false) enforce_ev(false) enforce_ats(false)]
default 09:59:21.615888-0600 XCtests-Dummy-Host boringssl_context_info_handler(1821) [C3.1:2][0x7fd994007720] Client handshake started
default 09:59:21.616031-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS client enter_early_data
default 09:59:21.616127-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS client read_server_hello
default 09:59:21.687233-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_hello_retry_request
default 09:59:21.687321-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_hello
default 09:59:21.687553-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_encrypted_extensions
default 09:59:21.687627-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_certificate_request
default 09:59:21.687697-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_certificate
default 09:59:21.687946-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C3.1:2][0x7fd994007720] Client handshake state: TLS 1.3 client read_server_certificate_verify
default 09:59:21.688132-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async(1510) [C3.1:2][0x7fd994007720] Performing external trust evaluation
default 09:59:21.688226-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async_external(1495) [C3.1:2][0x7fd994007720] Asyncing for external verify block
default 09:59:21.688361-0600 XCtests-Dummy-Host Connection 3: asked to evaluate TLS Trust
default 09:59:21.688733-0600 XCtests-Dummy-Host TLS Challenge: method to authenticate is: NSURLAuthenticationMethodServerTrust
default 09:59:21.688935-0600 XCtests-Dummy-Host testing server
default 09:59:21.689085-0600 XCtests-Dummy-Host container_create_or_lookup_app_group_path_by_app_group_identifier: success
default 09:59:21.697484-0600 runningboardd Attempting to rename power assertion 33826 for target applicationcom.cablelabs.XCtests-Dummy-Host to applicationcom.cablelabs.XCtests-Dummy-Host42771-42897-20285:Developer testing(BackgroundUI)
default 09:59:21.697494-0600 runningboardd Calculated state for applicationcom.cablelabs.XCtests-Dummy-Host: running-active (role: UserInteractiveNonFocal)
default 09:59:21.699529-0600 XCtests-Dummy-Host Task C39EAD13-8E45-4227-896A-586B12BA7969.1 auth completion disp=0 cred=0x600001c182e0
default 09:59:21.703618-0600 trustd cert[1]: MissingIntermediate =(leaf)[force] 0
default 09:59:21.704066-0600 XCtests-Dummy-Host Trust evaluate failure: [root MissingIntermediate]
default 09:59:21.704113-0600 XCtests-Dummy-Host System Trust Evaluation yielded status(-9802)
And this is the success case when using the IP in the url. Everything else is the same, code & cert-wise.
default 09:49:16.792469-0600 XCtests-Dummy-Host Connection 4: asked to evaluate TLS Trust
default 09:49:16.792756-0600 XCtests-Dummy-Host TLS Challenge: method to authenticate is: NSURLAuthenticationMethodServerTrust
default 09:49:16.792927-0600 XCtests-Dummy-Host testing server
default 09:49:16.801076-0600 XCtests-Dummy-Host Connection 4: TLS Trust result 0
default 09:49:16.801112-0600 XCtests-Dummy-Host boringssl_context_evaluate_trust_async_external_block_invoke_3(1451) [C4:2][0x7fac4b00f2f0] Returning from external verify block with result: true
default 09:49:16.801148-0600 XCtests-Dummy-Host boringssl_context_certificate_verify_callback(1609) [C4:2][0x7fac4b00f2f0] Certificate verification result: OK
default 09:49:16.801326-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client read_server_finished
default 09:49:16.801398-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client send_end_of_early_data
default 09:49:16.801429-0600 XCtests-Dummy-Host boringssl_context_info_handler(1836) [C4:2][0x7fac4b00f2f0] Client handshake state: TLS 1.3 client send_client_certificate
default 09:49:16.801503-0600 XCtests-Dummy-Host boringssl_context_certificate_request_callback(1562) [C4:2][0x7fac4b00f2f0] Asyncing for challenge block
default 09:49:16.801589-0600 XCtests-Dummy-Host boringssl_context_certificate_request_callback(1562) [C4:2][0x7fac4b00f2f0] Asyncing for challenge block
default 09:49:16.801708-0600 XCtests-Dummy-Host Connection 4: asked for TLS Client Certificates
Thanks Matt - yeah, this stuff is kinda black magic to me. I saw the empty policy array and didn't understand it, so I thought it just needed to be there. Do I need different policies for using an IP or for using a domain? Are there any good examples of how/why to use policies with the trust?
Thanks Matt. I have a pared down sample project that demonstrates the condition. I am going to submit a TSI this morning. I will have a private repo on github containing the project. Can you give me a github username to invite for access to the repo?
I am setting the MTU to 1500, but I think that only affects writes