I am working on code to handle connections to servers, handle the trust evaluation, policy management, and general authentication.
The issue I have is in regards to client authentication.
The code handles an NSURLAuthenticationMethodClientCertificate challenge from a server. In the handler, the code responds with a credential containing a bad certificate on purpose, to test how the code will respond to the expected server handshake failure.
Instead of being handled in the NSURLSessionTaskDelegate URLSession:task:didCompleteWithError method, the URLSession:taskIsWaitingForConnectivity is called. I breakpoint here and see the following in the debugger:
(I removed the timestamps)
[BoringSSL] boringssl_context_handle_fatal_alert(1872) [C1:2][0x1016266a0] read alert, level: fatal, description: bad certificate
[BoringSSL] boringssl_session_handshake_error_print(111) [C1:2][0x1016266a0] 4317227128:error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-283.60.3/ssl/tls_record.cc:587:SSL alert number 42
[BoringSSL] nw_protocol_boringssl_handshake_negotiate_proceed(726) [C1:2][0x1016266a0] handshake failed at state 12288
[] tcp_input [C1:3] flags=[R.] seq=4246551641, ack=1214174613, win=977 state=FIN_WAIT_1 rcv_nxt=4246551641, snd_una=1214174613
[] nw_endpoint_handler_copy_flow_path [C1 192.168.134.65:7323 waiting path (satisfied (Path is satisfied), interface: en0, ipv4, dns)] Endpoint handler is not flow
I see the expected response on the first line; bad certificate. Is there any API to retrieve this low-level error message from BoringSSL or URL Loading System API? This would allow me to check for an error, retrieve the error, and process the error. The code could then call a completionHandler to indicate a server connection failure.
Right now the code will wait for the timeout period to expire, then call the NSURLSessionTaskDelegate URLSession:task:didCompleteWithError with a 'request timed out' error. Problem with that, is I still don't have any access to the root cause of the problem to indicate a server connection problem in an alert window.
Is there any API to retrieve this low-level error message from BoringSSL or URL Loading System API?
Not really. It would be cool if
-URLSession:taskIsWaitingForConnectivity:
had an (optional) error parameter indicating why it’s waiting (the equivalent API in
NWConnection
does have this) but that’s not currently the case. I encourage you to file an
enhancement request for this. Please post your bug number, just for the record.
One option would be to retry your request in a temporary session that has
waitsForConnectivity
set to false; your request will then fail rather than wait.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"