Webview pass ClientCert Authen but timeout later

IMPORTANT Both

NSURLConnection

and

WebView

have been deprecated. I strongly recommend that you look at adopting their replacements (

NSURLSession

and

WKWebView

).

The fact that handling a client certificate authentication challenge in

NSURLConnection

would help with

WebView

was an artefact of the implementation rather than an explicit design decision. Specifically, both of these subsystems doing their networking in your process using the shared session (the same session you get to via

NSURLSession.sharedSession

) and thus ended up sharing entries in the TLS session cache (see QA1727 TLS Session Cache for more about that).

The failure you’re seeing is a result of those cache entries timing out. It’s hard to fix this because you’re not connected to the web view’s authentication challenge mechanism, and thus you don’t get notified of the timeout.

My recommendation is that you connect up to the web view’s authentication mechanism by implementing the

-webView:resource:didReceiveAuthenticationChallenge:fromDataSource:

delegate callback. My concern here is that this might not work for client certificate authentication challenges (

NSURLAuthenticationMethodClientCertificate

) because those challenges might not be delivered to your delegate (this is a weird historical edge case, and I don’t know how the legacy macOS

WebView

handles that).

The correct long-term solution is to use

WKWebView

, which definitely delivers the client certificate authentication challenge to its delegate (in this case

-webView:didReceiveAuthenticationChallenge:completionHandler:

). Alas, there’s a wrinkle there too. On currently shipping OS releases it’s not possible to successfully handle that challenge with

WKWebView

. You get the challenge and can respond to it but that response is ineffective. This bug has been fixed on the currently seeded version of iOS (iOS 12.0b6). I believe that fix also applies to the currently seeded version of macOS (10.14b7), but I haven’t personally verified this.

So, my advice:

• Whatever else you do, you should look at moving forward to

  WKWebView

  and

  NSURLSession

  .

• You should test whether

  WKWebView

  handles client certificate authentication challenges on the latest macOS 10.14 beta.

• For currently shipping systems, you should check whether

  WebView

  delivers client certificate authentication challenges to your delegate.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I try to change using WKWebview to load the webpage. However, the page can't load completely.

That mean it could receive response success, but all the resource content in the web page can't get.

I found all the resource in the page can't load with 403 forbidden. WKWebview load the html and i see pass the client cert authen. Is there any problem in this part ?

thanks

What OS release are you testing on? As I mentioned earlier,

WKWebView

has a bug that prevents it from responding property to client certificate authentication challenges (

NSURLAuthenticationMethodClientCertificate

) prior to iOS 12.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"