NWConnection handshake failed

Hi. I am making a test app almost exactly like the Tic Tac Toe example from WWDC19 https://developer.apple.com/videos/play/wwdc2019/713


The biggest differences are that instead of of connecting 2 ios apps together, my server is macOS 10.15 and my cleint is iOS13.


I create the bonjour listener on my server and start it up. I then use the NWBrowser on my iOS device, just like in the sample code. I create my NWConnection objects just like in the sample code.


The problem happens when I call NWConnection.send(


On my client I get this in the NWConnection.stateUpdateHandler failed:


2019-06-14 08:36:10.853632-0400 ClientSample[622:125162] [] tcp_output [C1.6.1:2] flags=[R.] seq=2719089173, ack=1140980224, win=1025 state=CLOSED rcv_nxt=1140980224, snd_una=2719089173

failed with error: POSIXErrorCode: Network is down


On my server, I get this in the same update handler failed case:


2019-06-14 08:33:52.884427-0400 ServerSample[1872:22136] [BoringSSL] boringssl_session_handshake_error_print(112) [C1:1][0x1010052c0] 4313953176:error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-264/ssl/tls13_server.cc:690:

2019-06-14 08:33:52.884495-0400 ServerSample[1872:22136] [BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(684) [C1:1][0x1010052c0] handshake failed at state 0

failed with error: -9858: Optional(handshake failed)




I tried creating a self signed cert on my server to see if that was the issue. I followed these instructions:

https://devcenter.heroku.com/articles/ssl-certificate-self


I would also like to point out that the server portion of this would be part of a mac app, so having all of our customers install certs would not be an option.


Not sure where to go from here.


Thanks,

Rob

Up vote post of nitro805 Down vote post of nitro805
3.5k views
Posted by
nitro805
Reply
Add a Comment

Replies

I think I fixed an issue I was having with this sample code

sec_protocol_options_append_tls_ciphersuite(tlsOptions.securityProtocolOptions,
                                                  tls_ciphersuite_t(rawValue: TLS_PSK_WITH_AES_128_GCM_SHA256)!)


Mac can't use this code because the cyphersuite constant is 32bit and it is 16bit on iOS. I am now using this.

sec_protocol_options_add_tls_ciphersuite(tlsOptions.securityProtocolOptions, TLS_PSK_WITH_AES_128_GCM_SHA256)


Now I am getting a new message


2019-06-14 16:25:44.453889-0400 ServerSample[13334:241268] [BoringSSL] boringssl_session_set_peer_verification_state_from_session(371) [C8:1][0x10234bef0] Unable to extract cached certificates from the SSL_SESSION object

2019-06-14 16:25:44.454002-0400 ServerSample[13334:241268] [BoringSSL] boringssl_helper_copy_certificates_from_session(248) [C8:1][0x10234bef0] SSL_get0_peer_certificates failed


ANY help would be appreciated.

Posted by
nitro805
Up vote reply of nitro805 Down vote reply of nitro805
Add a Comment

You need to decide whether you’re using PSK or not. If you are, then anything to do with digital identities and certificates is just a red herring.

The one gotcha I’m aware of with PSK is that it’s not supported by TLS 1.3 [1], so you must pin the maximum TLS version to 1.2 (r. 44776935). I also pin the minimum TLS to 1.2, just to avoid any unexpected weirdness.

sec_protocol_options_set_tls_min_version(securityOptions, .tlsProtocol12)
sec_protocol_options_set_tls_max_version(securityOptions, .tlsProtocol12)

If you still can’t get this working then you should re-test with iOS 12 and macOS 10.14. That’ll tell you whether this is a problem with your code or a problem with the new OS releases.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] My understanding is that this isn’t a limitation of the framework, but a limitation of the protocol.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I tried setting the TLS to 1.2 and get the same errors:


Listener ready on Optional(62715)
preparing
preparing
preparing
2019-06-18 16:54:21.839116-0400 ServerSample[7566:156875] [BoringSSL] boringssl_session_set_peer_verification_state_from_session(371) [C1:1][0x100711480] Unable to extract cached certificates from the SSL_SESSION object
2019-06-18 16:54:21.839184-0400 ServerSample[7566:156875] [BoringSSL] boringssl_helper_copy_certificates_from_session(254) [C1:1][0x100711480] SSL_get0_peer_certificates failed
ready
failed with error: POSIXErrorCode: Network is down
failed with error: POSIXErrorCode: Network is down

I can't really run the code as is with iOS12 or macOS10.14 because NWBrower and CryptoKit both require the new versions.

Posted by
nitro805
Up vote reply of nitro805 Down vote reply of nitro805
Add a Comment

I can't really run the code as is with iOS 12 or macOS 10.14 because 

NWBrower
and CryptoKit both require the new versions.

That’s true, but neither of those is necessary to test this scenario. All you need is 

NWListener
and 
NWConnection
, both of which are available on current systems.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment