Identity Pinning and NSLocalizedRecoverySuggestion

If a host is pinned by specifying its SPKI fingerprint under NSAppTransportSecurity > NSPinnedDomains > <hostname> > NSPinnedLeafIdentities and pinning fails the following errors are raised:

Error Domain=NSURLErrorDomain, Code=-1200 (i.e. NSURLErrorSecureConnectionFailed)

Error Domain=kCFErrorDomainCFNetwork, Code=-1200 (i.e. kCFURLErrorSecureConnectionFailed)

_kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802 (i.e. errSSLFatalAlert)

The topmost error's UserInfo dictionary contains a NSLocalizedRecoverySuggestion of "Would you like to connect to the server anyway?".

How would I go about doing so given that urlSession(_:task:didReceive:completionHandler:)has already been called at this point?

How would I go about doing [that]?

You wouldn’t. That suggestion only makes sense in a non-ATS world, most notably Safari. If the connection is being blocked by ATS, there’s no way to proceed.

You should feel free to file a bug requesting that we remove the recovery suggestion in that case. And if you do, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for the clarification. I had hoped, though, that there was a way to proceed (the certificate the SPKI fingerprint from the Info.plist belongs to may since have expired, but the app may have knowledge of the current certificate's SPKI hash).

Identity Pinning and NSLocalizedRecoverySuggestion
 
 
Q