I'm following the approach in https://developer.apple.com/forums/thread/703234 section "Doing Even Better: Proper Security".
My question is: does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?
I tried and: SecTrustEvaluateWithError(trust, nil)
returns true
, but TLS still fails:
ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)
<snip>
Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
Here is my code :
var err = SecTrustSetPolicies(trust, SecPolicyCreateBasicX509())
os_log("SecTrustSetPolicies returns \(err)")
err = SecTrustSetAnchorCertificates(trust, [self.myCA] as NSArray)
os_log("SecTrustSetAnchorCertificates returns \(err)")
err = SecTrustSetAnchorCertificatesOnly(trust, true)
os_log("SecTrustSetAnchorCertificatesOnly returns \(err)")
// check the trust object
let evalResult = SecTrustEvaluateWithError(trust, nil)
os_log("SecTrust eval result: \(evalResult)")
// create a credential with accepted server trust.
let credential = URLCredential(trust: trust)
completionHandler(.useCredential, credential)
the logs are:
SecTrustSetPolicies returns 0
SecTrustSetAnchorCertificates returns 0
SecTrustSetAnchorCertificatesOnly returns 0
SecTrust eval result: true
Did I do anything wrong? or is it not supported outside the local network?
Thanks.
does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?
Sure. There’s nothing specific to the local network about that technique.
One thing to be careful of here is ATS, which has different options for disabling it locally versus non-locally. And this log message:
ATS failed system trust
suggests that you do indeed have an ATS issue.
can I opt to connect to the server anyway programmatically?
Yes. But you need to disable ATS and you need to override the default server trust evaluation done by URLSession
.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"