User Profile

I have written a WebSocket client using Apple Network Framework in C++. I use a sec_protocol_options_set_verify_block to customize the server SSL certificate trust evaluation. This includes logic to append a revocation policy to the trust object like this: Code snippet If CRL checks are set to HARD i.e kSecRevocationRequirePositiveResponse bit is set. Then the evaluation always fails with Trust evaluation result - kSecTrustResultRecoverableTrustFailure and the revocation result is FALSE. The error code is -67635 corresponding to errSecIncompleteCertRevocationCheck. But weirdly the error message printed is  '"leafCert","CACert" certificates do not meet pinning requirements'. This does not match up to the error code seen. These are placeholder names for my self signed server certificates. The root is added to the Keychain and marked trusted in the keychain. If I put CRL checks to SOFT, no CRL check takes place but the trust evaluation succeeds. Putting the error message anomaly aside. If I run WireShark traces on the server machine where the CRL distribution point is also located, I do not see any HTTP requests coming in for the CRL list. I have checked the CRL DP URL in a browser and it is reachable. Is there something wrong with the policy creation process? Why is it not at least trying to access the CRL DP?