Identity Pinning and NSLocalizedRecoverySuggestion

If a host is pinned by specifying its SPKI fingerprint under NSAppTransportSecurity > NSPinnedDomains > <hostname> > NSPinnedLeafIdentities and pinning fails the following errors are raised:

Error Domain=NSURLErrorDomain, Code=-1200 (i.e. NSURLErrorSecureConnectionFailed)

Error Domain=kCFErrorDomainCFNetwork, Code=-1200 (i.e. kCFURLErrorSecureConnectionFailed)

_kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802 (i.e. errSSLFatalAlert)

The topmost error's UserInfo dictionary contains a NSLocalizedRecoverySuggestion of "Would you like to connect to the server anyway?".

How would I go about doing so given that urlSession(_:task:didReceive:completionHandler:)has already been called at this point?

Up vote post of jzilske Down vote post of jzilske
771 views
Posted by
jzilske
Reply
Add a Comment

Replies

How would I go about doing [that]?

You wouldn’t. That suggestion only makes sense in a non-ATS world, most notably Safari. If the connection is being blocked by ATS, there’s no way to proceed.

You should feel free to file a bug requesting that we remove the recovery suggestion in that case. And if you do, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for the clarification. I had hoped, though, that there was a way to proceed (the certificate the SPKI fingerprint from the Info.plist belongs to may since have expired, but the app may have knowledge of the current certificate's SPKI hash).

Posted by
jzilske
Up vote reply of jzilske Down vote reply of jzilske
Add a Comment