1 Reply
      Latest reply on Jan 12, 2017 2:16 AM by eskimo
      mikemckean Level 1 Level 1 (0 points)

        I'm currently working on an app that will connect via SSL to hardware devices via Wi-Fi. The hardware devices have a self-signed SSL certificate issued by our internal root CA. I'm attempting to use NSAllowsLocalNetworking to bypass ATS for these local SSL connections. We are performing a certificate trust evaluation to ensure that the presented certificate was issued by our root CA.


        So far, this has worked for me if the device I'm connecting to is on the same local subnet. In my office, where the device I'm connecting to is on another local subnet, these connections fail and I receive an error message: "An SSL error has occurred and a secure connection to the server cannot be made." To prove that something else wasn't causing the connection problem, I tried removing NSAllowsLocalNetworking while leaving NSAllowsArbitraryLoads, the connection then succeeds.


        The documentation for this setting says:

        An optional Boolean value that, when set to YES, removes App Transport Security protections for connections to unqualified domains and to .local domains, without disabling ATS for the rest of your app.


        In my case, the failing connections are being attempted to unqualified domains, so I'd expect this to work, even across subnets. Does anyone know if this is limited to a single subnet by design? If so, is there a known workaround? I'd prefer to avoid using NSAllowsArbitraryLoads and then having to try and justify this choice.

        • Re: NSAllowsLocalNetworking - connecting to devices on a different subnet
          eskimo Apple Staff Apple Staff (13,895 points)

          I'd prefer to avoid using NSAllowsArbitraryLoads …

          A very worthy goạl!

          In my office, where the device I'm connecting to is on another local subnet …

          Please clarify what you mean bay “another local subnet”.  Subnets are an IP term, but it sounds like you’re connecting via a DNS name rather than via an IP address.  What DNS names work and what DNS names fail?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"