eskimo

There’s really two questions here:Where is your tool currently expecting the framework to be?Where should the framework be?With regards the first point, it’s hard to say given the info you’ve posted but it’s easy for you to work this for yourself: just run otool -L over the tool. For example, the following command shows which frameworks the scutil tool depends on and where those frameworks are expected to be: $ otool -L /usr/sbin/scutil /usr/sbin/scutil: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1153.18.0) /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 699.30.1) /usr/lib/libedit.3.dylib (compatibility version 2.0.0, current version 3.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)With regards your second question, if you want the framework to be available to all apps on the system you should put it in

OK, lots of points to cover here:I’ve moved your thread to Core OS > Networking as this question is more about networking than it is about Swift.If you’re writing new code you should use NSURLSession rather than NSURLConnection; we’re in the process of deprecating the latter in favour of the former.You should read up on App Transport Security because that’s likely to impact on your product in the very near future.Error -9813 is errSSLNoRootCert, implying that you really do have an HTTPS server trust evaluation problem. Technote 2232 HTTPS Server Trust Evaluation covers that topic in detail.You’re calling NSURLConnection synchronously (using the +sendSynchronousRequest:xxx method). This is a bad idea in general for all sorts of reasons. I strongly recommend that you move to an async API. In fact, if you switch to NSURLSession you’ll find that it has no sync API.With regards your attempted solution, the problem you’re having is that -connection:willSendRequestForAuthenticationChallenge: is an NSURLConnection

Does that mean if we have SSL certificate with public key.I presume you mean “HTTPS server certificate that’s trusted by the system by default”. All certificates contain a public key, even self-signed ones.We dont have to change our code?If the HTTPS server certificate is trusted by the system then you don’t need to override HTTPS server trust evaluation. That would allow your code as written to work. You’ll also be able to remove all the willSendRequestForAuthenticationChallenge goo, because that’s both ineffective and would be unnecessary. While NSURLConnection is being deprecated, and we advise against using synchronous APIs for networking, such techniques do still work and we expect them to continue to work for the foreseeable future.The one gotcha is App Transport Security; as soon as you adopt the iOS 9 SDK you will have to worry about that.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Our software communicates with devices on local network that have self signed certificates that our software can independently verify. However there doesn't seem to be a way to get this working with ATS, as canAuthenticateAgainstProtectionSpace and didReceiveAuthenticationChallenge are never called.Correct. If the server is in a domain with ATS enabled, the connection will fail before these delegate callbacks are issued.We have no other options than using self signed certificates for the devices so right now the only option is to disable ATS completely. Is there anything else we can do?If you always connect to the device via its .local name, you can disable ATS for just that domain. That’s better than disabling ATS entirely.Alternatively, if the server can be in any domain, you could disable ATS entirely and then re-enable it for specific domains of interest to your app.There is not, alas, a way to disable ATS for something like ‘local IP addresses’. This has been discussed in depth in another DevForums threa

What platform?What network interface?Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

-36 is errSecIO. It’s likely that your one of your I/O callback functions failed. What sort of TLS are you trying to do? The code snippet you posted implies that you’re doing TLS over TCP. If so, you’re way way way off in the weeds. Rather than trying to combine CFSocket and Secure Transport, you should just use CFSocketStream via the NSStream API. That’s a much higher-level API and is a lot easier to use.The TLSTool sample code demonstrates this approach.Now, there are good reasons for using Secure Transport directly, and there are (very few) good reasons for using CFSocket, but they all represent relatively obscure edge cases; most apps should use NSStream.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

There’s nothing fundamentally wrong with the code itself, but various environmental factors make it harder to use. You’ve figure one out already (the fact that you have to use the security tool to modify the authorisation database) and now you’re stuck on another (seeing your logging). This is actually easier than the current NullAuthPlugin docs would have you believe, it’s just that I didn’t understand ASL properly back when I wrote NullAuthPlugin )-: The trick is:continue to log your output at debug level (preferably with ASL rather than syslog, and thus using ASL_LEVEL_DEBUG)change the ASL master filter mask to show debug messages$ sudo syslog -c 0 -d IMPORTANT Don’t forget the sudo. If you do, ASL doesn't print an error, it simply fails to adjust the mask (r. 18200871).watch the log$ syslog -w As always, it's a good idea to run this last command over an SSH connection so that you can see these log messages show up in real time.Finally, you can reset the master filter mask with the command shown below.$ su

Also, Could you provide the actual trusted root CA certificates (actual certificates) for either iOS8 or iOS9?The iOS 8 list is published by AppleCare as List of available trusted root certificates in iOS 8.I fully expect that they will publish an equivalent article for iOS 9 once it’s all done but, as I don’t work for AppleCare, I can’t make commitments on their behalf.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

There is no easy way to extract the list of trusted root certificates from iOS. You can get a specific one (by running a trust evaluation on a certificate that’s issued by that root) but there’s no API to enumerate them all.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Lots of folks use this technique so I’d be surprised if it was broken in general. Please post a specific example of what’s failing, that is, both the code and a hex dump of an example key.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Please post an example crash report.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Try logging the error's localizedDescription() or other properties for a more detailed description of the problem.That’s good advice.Also, for Foundation errors like this one, you can find a list in <Foundation/FoundationErrors.h>. The symbolic value for 517 is NSFileWriteInapplicableStringEncodingError. Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

You need to read the dyld man page, which explains how these relative references work.When you create a framework (from the Cocoa Framework template) it assumes that the framework will be embedded within your application, so it sets the Runpath Search Paths (LD_RUNPATH_SEARCH_PATHS) build setting to include directories that the framework would appear in a typical app. If you’re not using the framework embedded within your app, things get more complex. Do you plan to use the framework just in your tool? Or in other situations do you plan to use the framework embedded within an app?Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

There’s nothing preventing you from doing mutual authentication via the NSStream API. There are some edge cases that NSStream can’t handle (for example, you won’t be able to choose a different client identity based on the DN in the Server Hello, something that you can do with Secure Transport) but, in general, it works just fine.If you have to stick with Secure Transport, you should read this post, which explains how to implement the read I/O function correctly.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com

Will ATS be enforced during app review?I don’t work for App Review and can’t give you definitive answers on their behalf; if you need a definitive answer, you will have to contact App Review directly directly.My general advice on situations like this is:If you think that ATS could reasonably provide an alternative solution that’d better meet your needs, file an enhancement request asking for that. In your case, however, I suspect that disabling ATS is the right solution.If you have behaviour within your app that you’d like to explain to App Review, including a discussion of that behaviour in the review notes when you submit the app.Share and Enjoy — Quinn The Eskimo! Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = eskimo + 1 + @apple.com