I am running into the same problem. After a big of digging I and enabling logging with private values I see the message from apsd APSCourier: 0x7f895081edd0: Token for 501 not connected, skipping request to generate token for topic "io.bartelmess.PushTest" and identifier "" I assume that 501 is my user ID here. I am not sure what "not connected" means in this case. It does not work for production and the development environment. In a production environment with a notarized app it does not work.

I would like to +1 this request, in my case it's required to implement a PostgreSQL client, which enables TLS midstream, after a STARTTLS message. I agree that it's not ideal security wise, but there is a whole host of protocols (SMTP, PostgreSQL, XMPP, LDAP, etc) that use opportunistic DNS. When Network.framework is not offering the ability to enable TLS on an existing stream, it means that those applications are either Stuck with SecureTransport on macOS (which means they don't get TLS 1.3) Need to use a third party library like OpenSSL on top of Network.framework which means that don't get the macOS/iOS trust settings by default, which is would argue is worse for Security. I've created a Feedback: FB8888057