Identity Pinning and NSLocalizedRecoverySuggestion

App & System Services General
jzilske OP
Created Jun ’23
Replies 2
Boosts 0
Views 985
Participants 2

If a host is pinned by specifying its SPKI fingerprint under NSAppTransportSecurity > NSPinnedDomains > <hostname> > NSPinnedLeafIdentities and pinning fails the following errors are raised:

Error Domain=NSURLErrorDomain, Code=-1200 (i.e. NSURLErrorSecureConnectionFailed)

Error Domain=kCFErrorDomainCFNetwork, Code=-1200 (i.e. kCFURLErrorSecureConnectionFailed)

_kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802 (i.e. errSSLFatalAlert)

The topmost error's UserInfo dictionary contains a NSLocalizedRecoverySuggestion of "Would you like to connect to the server anyway?".

How would I go about doing so given that urlSession(_:task:didReceive:completionHandler:)has already been called at this point?

Replies  2
Boosts  0
Views  985
Participants  2
DTS Engineer OP
Apple
Jun ’23

How would I go about doing [that]?

You wouldn’t. That suggestion only makes sense in a non-ATS world, most notably Safari. If the connection is being blocked by ATS, there’s no way to proceed.

You should feel free to file a bug requesting that we remove the recovery suggestion in that case. And if you do, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
jzilske OP
Jun ’23

Thank you for the clarification. I had hoped, though, that there was a way to proceed (the certificate the SPKI fingerprint from the Info.plist belongs to may since have expired, but the app may have knowledge of the current certificate's SPKI hash).

0
Identity Pinning and NSLocalizedRecoverySuggestion
First post date Last post date
 
 
Q