Use nscurl with client certificate?

As a follow-up to a Networking lab conversation I had on Tuesday I have the following question:

Is there a way to use nscurl to connect to a server that requires client authentication by providing a client certificate? None of the documented options seem to allow that, but maybe there is an undocumented one...

Is there a way to use nscurl to connect to a server that requires client authentication … ?

No.

Why do you need this in nscurl specifically? Most folks either:

  • Are working from the command line, and so use curl, which does support this, or

  • Are writing code, and so use NSURLSession, which also supports this via its authentication challenge mechanism

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Why do you need this in nscurl specifically?

Mostly just to understand how specific status codes are handled on iOS.

To elaborate: I have been hitting the same issue described here and here - the URL Loading System raises an error if it receives a response with the status code 403 and a client certificate was involved in the handshake (regardless of whether the certificate was accepted or not). I (re-)raised this as FB10026351.

In my case all requests to the server require client authentication and the server may return 403 for unrelated reasons (e.g. for domain errors). The server team agreed to use a different status code for those cases but wanted me to make sure they don't pick one where a similar situation could arise. In my lab appointment the network engineer pointed out that there are in fact status codes other than 403 that receive special treatment and suggested using nscurl to quickly check how specific status codes are handled, but apparently the behaviour changes if a client certificate is involved. Here is what I found:

Without client authentication:

  • If no client certificate is involved and the server responds with 401 the client gets an error (NSURLErrorCannotConnectToHost)
  • If no client certificate is involved and the server responds with 403 the client gets the response

With client authentication:

  • If a (valid) client certificate is involved and the server responds with 401 the client gets the response
  • If a (valid) client certificate is involved and the server responds with 403 the client gets an error (NSURLErrorClientCertificateRequired)

However, the scenarios involving a client certificate cannot be tested with nscurl, hence my question.

Use nscurl with client certificate?
 
 
Q