ProxyConfiguration in WKWebView doesn't allow trusting self-signed certificate

I have an HTTP3 relay setup and I'm trying to get WKWebView traffic to use it. The relay has a self-signed certificate for TLS traffic.

When using URLSession to make a call, everything works as expected, but in WKWebView, it doesn't.

Here is how I setup my ProxyConfiguration

let options = NWProtocolTLS.Options()
// sample options to trust any certificate for testing
        sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
            sec_protocol_verify_complete(true)
        }, DispatchQueue.global())
        
        let relayServer = ProxyConfiguration.RelayHop(http3RelayEndpoint: relayEndpoint, tlsOptions: options)
        let relayConfig = ProxyConfiguration(relayHops: [relayServer])

I connect that to my webview by simply doing the following:

let configuration = WKWebViewConfiguration()
        configuration.websiteDataStore = WKWebsiteDataStore.nonPersistent()
        configuration.websiteDataStore.proxyConfigurations = [relayConfig]
        
        let webView = WKWebView(frame: .zero, configuration: configuration)

The sec_protocol_options_set_verify_block is never called for the WKWebView (it is when I use URLSession)

I get the following error in XCode

[pageProxyID=7, webPageID=8, PID=73105] WebPageProxy::didFailProvisionalLoadForFrame: frameID=1, isMainFrame=1, domain=NSURLErrorDomain, code=-1202, isMainFrame=1, willInternallyHandleFailure=0

Is there some API I am missing to get the webview to do custom TLS validation with an HTTP3 relay?

Post not yet marked as solved Up vote post of toddbohm Down vote post of toddbohm
215 views
Posted by
toddbohm
Reply

  • I'm having the same issue with the sec_protocol_options_set_challenge_block API as well. It seems the provided block does not run.

    auorion
Add a Comment