General:
Forums subtopic: App & System Services > Networking
TN3151 Choosing the right networking API
Networking Overview document — Despite the fact that this is in the archive, this is still really useful.
TLS for App Developers forums post
Choosing a Network Debugging Tool documentation
WWDC 2019 Session 712 Advances in Networking, Part 1 — This explains the concept of constrained networking, which is Apple’s preferred solution to questions like How do I check whether I’m on Wi-Fi?
TN3135 Low-level networking on watchOS
TN3179 Understanding local network privacy
Adapt to changing network conditions tech talk
Understanding Also-Ran Connections forums post
Extra-ordinary Networking forums post
Foundation networking:
Forums tags: Foundation, CFNetwork
URL Loading System documentation — NSURLSession, or URLSession in Swift, is the recommended API for HTTP[S] on Apple platforms.
Network framework:
Forums tag: Network
Network framework documentation — Network framework is the recommended API for TCP, UDP, and QUIC on Apple platforms.
Building a custom peer-to-peer protocol sample code (aka TicTacToe)
Implementing netcat with Network Framework sample code (aka nwcat)
Configuring a Wi-Fi accessory to join a network sample code
Moving from Multipeer Connectivity to Network Framework forums post
Network Extension (including Wi-Fi on iOS):
See Network Extension Resources
Wi-Fi Fundamentals
TN3111 iOS Wi-Fi API overview
Wi-Fi Aware framework documentation
Wi-Fi on macOS:
Forums tag: Core WLAN
Core WLAN framework documentation
Wi-Fi Fundamentals
Secure networking:
Forums tags: Security
Apple Platform Security support document
Preventing Insecure Network Connections documentation — This is all about App Transport Security (ATS).
Available trusted root certificates for Apple operating systems support article
Requirements for trusted certificates in iOS 13 and macOS 10.15 support article
About upcoming limits on trusted certificates support article
Apple’s Certificate Transparency policy support article
What’s new for enterprise in iOS 18 support article — This discusses new key usage requirements.
Technote 2232 HTTPS Server Trust Evaluation
Technote 2326 Creating Certificates for TLS Testing
QA1948 HTTPS and Test Servers
Miscellaneous:
More network-related forums tags: 5G, QUIC, Bonjour
On FTP forums post
Using the Multicast Networking Additional Capability forums post
Investigating Network Latency Problems forums post
WirelessInsights framework documentation
iOS Network Signal Strength
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Network
RSS for tagNetwork connections send and receive data using transport and security protocols.
Posts under Network tag
200 Posts
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
Questions about FTP crop up from time-to-time here on DevForums. In most cases I write a general “don’t use FTP” response, but I don’t have time to go into all the details. I’ve created this post as a place to collect all of those details, so I can reference them in other threads.
IMPORTANT Apple’s official position on FTP is:
All our FTP APIs have been deprecated, and you should avoid using deprecated APIs.
Apple has been slowly removing FTP support from the user-facing parts of our system. The most recent example of this is that we removed the ftp command-line tool in macOS 10.13.
You should avoid the FTP protocol and look to adopt more modern alternatives.
The rest of this post is an informational explanation of the overall FTP picture.
This post is locked so I can keep it focused. If you have questions or comments, please do create a new thread in the App & System Services > Networking subtopic and I’ll respond there.
Don’t Use FTP
FTP is a very old and very crufty protocol. Certain things that seem obvious to us now — like being able to create a GUI client that reliably shows a directory listing in a platform-independent manner — aren’t possible to do in FTP. However, by far the biggest problem with FTP is that it provides no security [1]. Specifically, the FTP protocol:
Provides no on-the-wire privacy, so anyone can see the data you transfer
Provides no client-authenticates-server authentication, so you have no idea whether you’re talking to the right server
Provides no data integrity, allowing an attacker to munge your data in transit
Transfers user names and passwords in the clear
Using FTP for anonymous downloads may be acceptable (see the explanation below) but most other uses of FTP are completely inappropriate for the modern Internet.
IMPORTANT You should only use FTP for anonymous downloads if you have an independent way to check the integrity of the data you’ve downloaded. For example, if you’re downloading a software update, you could use code signing to check its integrity. If you don’t check the integrity of the data you’ve downloaded, an attacker could substitute a malicious download instead. This would be especially bad in, say, the software update case.
These fundamental problems with the FTP protocol mean that it’s not a priority for Apple. This is reflected in the available APIs, which is the subject of the next section.
FTP APIs
Apple provides two FTP APIs:
All Apple platforms provide FTP downloads via URLSession.
Most Apple platforms (everything except watchOS) support CFFTPStream, which allows for directory listings, downloads, uploads, and directory creation.
All of these FTP APIs are now deprecated:
URLSession was deprecated for the purposes of FTP in the 2022 SDKs (macOS 13, iOS 16, iPadOS 16, tvOS 16, watchOS 9) [2].
CFFTPStream was deprecated in the 2016 SDKs (macOS 10.11, iOS 9, iPadOS 9, tvOS 9).
CFFTPStream still works about as well as it ever did, which is not particularly well. Specifically:
There is at least one known crashing bug (r. 35745763), albeit one that occurs quite infrequently.
There are clear implementation limitations — like the fact that CFFTPCreateParsedResourceListing assumes a MacRoman text encoding (r. 7420589) — that won’t be fixed.
If you’re looking for an example of how to use these APIs, check out SimpleFTPSample.
Note This sample hasn’t been updated since 2013 and is unlikely to ever be updated given Apple’s position on FTP.
The FTP support in URLSession has significant limitations:
It only supports FTP downloads; there’s no support for uploads or any other FTP operations.
It doesn’t support resumable FTP downloads [3].
It doesn’t work in background sessions. That prevents it from running FTP downloads in the background on iOS.
It’s only supported in classic loading mode. See the usesClassicLoadingMode property and the doc comments in <Foundation/NSURLSession.h>.
If Apple’s FTP APIs are insufficient for your needs, you’ll need to write or acquire your own FTP library. Before you do that, however, consider switching to an alternative protocol. After all, if you’re going to go to the trouble of importing a large FTP library into your code base, you might as well import a library for a better protocol. The next section discusses some options in this space.
Alternative Protocols
There are numerous better alternatives to FTP:
HTTPS is by far the best alternative to FTP, offering good security, good APIs on Apple platforms, good server support, and good network compatibility. Implementing traditional FTP operations over HTTPS can be a bit tricky. One possible way forward is to enable DAV extensions on the server.
FTPS is FTP over TLS (aka SSL). While FTPS adds security to the protocol, which is very important, it still inherits many of FTP’s other problems. Personally I try to avoid this protocol.
SFTP is a file transfer protocol that’s completely unrelated to FTP. It runs over SSH, making it a great alternative in many of the ad hoc setups that traditionally use FTP.
Apple doesn’t have an API for either FTPS or SFTP, although on macOS you may be able to make some headway by invoking the sftp command-line tool.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] In another thread someone asked me about FTP’s other problems, those not related to security, so let’s talk about that.
One of FTP’s implicit design goals was to provide cross-platform support that exposes the target platform. You can think of FTP as being kinda like telnet. When you telnet from Unix to VMS, it doesn’t aim to abstract away VMS commands, so that you can type Unix commands at the VMS prompt. Rather, you’re expected to run VMS commands. FTP is (a bit) like that.
This choice made sense back when the FTP protocol was invented. Folks were expecting to use FTP via a command-line client, so there was a human in the loop. If they ran a command and it produced VMS-like output, that was fine because they knew that they were FTPing into a VMS machine.
However, most users today are using GUI clients, and this design choice makes it very hard to create a general GUI client for FTP. Let’s consider the simple problem of getting the contents of a directory. When you send an FTP LIST command, the server would historically run the platform native directory list command and pipe the results back to you. To create a GUI client you have to parse that data to extract the file names. Doing that is a serious challenge. Indeed, just the first step, working out the text encoding, is a challenge. Many FTP servers use UTF-8, but some use ISO-Latin-1, some use other standard encodings, some use Windows code pages, and so on.
I say “historically” above because there have been various efforts to standardise this stuff, both in the RFCs and in individual server implementations. However, if you’re building a general client you can’t rely on these efforts. After all, the reason why folks continue to use FTP is because of it widespread support.
[2] To quote the macOS 13 Ventura Release Notes:
FTP is deprecated for URLSession and related APIs. Please adopt
modern secure networking protocols such as HTTPS. (92623659)
[3] Although you can implement resumable downloads using the lower-level CFFTPStream API, courtesy of the kCFStreamPropertyFTPFileTransferOffset property.
Revision History
2025-10-06 Explained that URLSession only supports FTP in classic loading mode. Made other minor editorial changes.
2024-04-15 Added a footnote about FTP’s other problems. Made other minor editorial changes.
2022-08-09 Noted that the FTP support in URLSession is now deprecated. Made other minor editorial changes.
2021-04-06 Fixed the formatting. Fixed some links.
2018-02-23 First posted.
I investigated what network interface names are assigned to carrier networks on a dual SIM iPhone by examining the output of getifaddrs(). (An part of the program used for this is provided below.)
//////////////
struct ifaddrs *interfaces = NULL;
struct ifaddrs *an_interface = NULL;
if (0 == getifaddrs(&interfaces)) {
an_interface = interfaces;
while (an_interface != NULL) {
if( an_interface->ifa_addr->sa_family == AF_INET) {
NSString* name = [NSString stringWithUTF8String:an_interface->ifa_name];
NSLog(@"Interface name is: %@", name);
}
an_interface = an_interface->ifa_next;
}
}
freeifaddrs(interfaces);
In this investigation, it appeared that the interface name for the sXGP SIM selected under "iPhone > Settings > Cellular > Cellular Data" was always "pdp_ip0".
(A screenshot of "Cellular Data" is provided below. this is sample of sXGP selected )"
[QUESTION]
Is the SIM selected in Settings of iPhone always assigned to "pdp_ip0"?
[BACKGROUND]
I am developing a VoIP application and opening sockets by specifying IP addresses for communication.
On a dual SIM iPhone, multiple networks (IP addresses) are visible. Therefore, I need to determine which network to use. My question is whether I can reliably make this decision based on the network interface name.
If the SIM selected in Settings is always assigned to "pdp_ip0", I intend to open the socket using the IP address of "pdp_ip0".
Alternatively, should I use a different method to select the appropriate network interface?
For testing purposes we have code that calls SecTrustEvaluateAsyncWithError() with a trust object containing a hardcoded leaf certificate and the corresponding intermediate certificate required to form a valid chain. Because the leaf certificate has since expired we pass a date in the past via SecTrustSetVerifyDate() at wich the certificate was still valid, but trust evaluation fails:
Error Domain=NSOSStatusErrorDomain Code=-67825 "“<redacted>” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“<redacted>” certificate is not standards compliant, NSUnderlyingError=0x600000c282a0 {Error Domain=NSOSStatusErrorDomain Code=-67825 "Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;" UserInfo={NSLocalizedDescription=Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;}}}
I know that App Transport Security enforces Certificate Transparency by default, but is there a way around that here?
Title / Summary
Crash in libquic.dylib when app is backgrounded and issues an HTTP/3 request
Description
On iOS 26, the app crashes inside libquic.dylib while performing a network request using HTTP/3 (QUIC) after the app has moved to the background. The crash happens within low-level QUIC / libquic internals.
Reproduction Steps
Launch the app, perform normal operations.
Background the app (press home / switch away).
While in background, trigger a network request that uses HTTP/3 / QUIC.
Observe that the app crashes (stack trace pointing into libquic.dylib).
Expected Behavior
The HTTP/3 request in background should either be handled gracefully (fail or complete) without causing a crash; the app must not be terminated due to internal libquic failures.
Actual Behavior
The app crashes with signals/exceptions coming from libquic.dylib (in the QUIC / packet building / encryption / key state logic) when a HTTP/3 request is made in background.
Environment / Device Information
• OS: iOS 26
• Device: iPhone 13 Pro Max
• Network environment: (Wi-Fi / Cellular)
• HTTP/3 support: enabled in URLSession / Network framework
Stack Trace:
8eedc0df3d914b0faf8def9af3b21574-symbolicated.crash
I was exploring the scenarios where an NWListener or NWConnection can be invalidated or reclaimed by the OS itself.
I came across the document TN2277: Networking and Multitasking, which discusses situations where iOS can reclaim the underlying socket descriptor.
The document states:
while the app is suspended the system may choose to reclaim resources out from underneath a network socket used by the app, thereby closing the network connection represented by that socket.
From this, I understand that when the app is in a suspended state, the OS may reclaim the socket descriptor.
My questions are:
In what scenarios does the OS not reclaim the socket descriptor while the app is suspended, and in which cases does it reclaim it?
When reclamation occurs, does the OS reclaim 'a' single NWListener/NWConnection, or does it reclaim 'all' NWListener/NWConnections opened by the application?
Thanks.
We are using wifi_aware demo at https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps. We use iPhone 16 with ios26 to install this app successfully for the first time. After then we want to remove some paired devices, but the function used to delete paired device is not founded. So we uninstall the app, and intend to install it again. This time, it jump to the interface displaying the message "This device does not support Wi-Fi Aware". We are confused by this and don't know what to do. Instead of using other devices, how can we successfully install the app on this device. The iphone, Apple computer and Xcode environment maintain the same for sure. We sincerely appreciate your reply.
Hello Apple Support Team,
We are experiencing a performance issue with HTTP/3 in our iOS application during testing.
Problem Description:
Network requests using HTTP/3 are significantly slower than expected. This issue occurs on both Wi-Fi and 4G networks, with both IPv4 and IPv6. The same setup worked correctly in an earlier experiment.
Key Observations:
The slowdown disappears when the device uses:
· A personal hotspot.
· Network Link Conditioner (with no limitations applied).
· Internet sharing from a MacBook via USB (where traffic was also inspected with Wireshark without issues).
The problem is specific to HTTP/3 and does not occur with HTTP/2.
The issue is reproducible on iOS 15, 18.7, and the latest iOS 26 beta.
HTTP/3 is confirmed to be active (via assumeHttp3Capable and Alt-Svc header).
Crucially, the same backend endpoint works with normal performance on Android devices and using curl with HTTP/3 support from the same network.
I've checked the CFNetwork logs in the Console but haven't found any suspicious errors or obvious clues that explain the slowdown.
We are using a standard URLSession with basic configuration.
Attempted to collect qlog diagnostics by setting the QUIC_LOG_DIRECTORY=~/ tmp environment variable, but the logs were not generated.
Question:
What could cause HTTP/3 performance to improve only when the device is connected through a hotspot, unrestricted Network Link Conditioner, or USB-tethered connection? The fact that Android and curl work correctly points to an issue specific to the iOS network stack. Are there known conditions or policies (e.g., related to network interface handling, QoS, or specific packet processing) that could lead to this behavior?
Additionally, why might the qlog environment variable fail to produce logs, and are there other ways to obtain detailed HTTP/3 diagnostic information from iOS?
Any guidance on further diagnostic steps or specific system logs to examine would be greatly appreciated.
Thank you for your assistance.
Background
Android phones supporting Wi-Fi Aware 4.0 should be able to connect with iPhones (iOS 26). For testing, we selected two Samsung S25 devices, which support Wi-Fi Aware 4.0.
Issues we are facing
Android as Publisher, iOS as Subscriber.iOS cannot discover the service. Log shows: Discovery: Dropping event, 02:14:60:76:a6:0f missing DCEA attribute.
iOS as Publisher, Android as Subscriber,Android can discover the service.However, the PIN code is not displayed on iOS.
From the packet capture, the publish packet does not contain the DCEA field. However, Android-to-Android devices can still pair normally, and the subsequent PASN packets include the DCEA field. It seems that the Wi-Fi Alliance only requires the DCEA to be present in the PASN packets.
iOS cannot discover Android devices or complete pairing — is this caused by the DCEA field, or by other reasons?
Eager to see the Wi-Fi Aware communication between iPhone (iOS 26) and an Android device, I tried iOS 26 beta on my iPhone16. and tried below code snippet from provided example at https://developer.apple.com/documentation/wifiaware/building-peer-to-peer-apps. Idea is to first verify discovery of Android WiFiAware service on iOS.
extension WAPublishableService {
public static var simulationService: WAPublishableService {
allServices[simulationServiceName]!
}
}
extension WASubscribableService {
public static var simulationService: WASubscribableService {
allServices[simulationServiceName]!
}
}
struct ContentView: View {
@State private var showingDevicePicker = false
@State private var pairedDevices: [WAPairedDevice] = [] // To hold discovered/paired devices
var body: some View {
VStack {
Button("Discover Devices") {
showingDevicePicker = true // Trigger the device picker presentation
}
.sheet(isPresented: $showingDevicePicker) {
DevicePicker(.wifiAware(.connecting(to: .selected([]), from: .simulationService))) { endpoint in
print("Paired Endpoint: \(endpoint)")
} label: {
Image(systemName: "plus")
Text("Add Device")
} fallback: {
Image(systemName: "xmark.circle")
Text("Unavailable")
}
}
List(pairedDevices) { device in
Text(device.name ?? "Unknown Device")
}
}
}
}
With suggested entitlement of WiFiAware and info.plist of service info.
Then I had Android device with WIFiAware service publishing service (service name set '_sat-simulation._udp') from this app https://github.com/anagramrice/NAN.
But above iOS app is unable to find the service published from android device.
Am I missing something?
Note: the above Android-NAN app seems to be working fine between Android to Another Android.
I'm currently exploring Instruments for profiling and tracing on macOS 15.6.1. I know there is the "network connections" instrument which records TCP/UDP information, however it seems to not include the "lo0" (loopback) interface.
Is there a way to configure it so that localhost traffic is included in the recording? as the application I'm tracing uses that and I want that information to be included in traces.
The documentation for network-interface-detection schema makes no mention of how it detects interfaces.
Thanks in advance.
Our product (rockhawk.ca) uses the Multipeer Connectivity framework for peer-to-peer communication between multiple iOS/iPadOS devices. My understanding is that MC framework communicates via three methods: 1) infrastructure wifi (i.e. multiple iOS/iPadOS devices are connected to the same wifi network), 2) peer-to-peer wifi, or 3) Bluetooth. In my experience, I don't believe I've seen MC use Bluetooth. With wifi turned off on the devices, and Bluetooth turned on, no connection is established. With wifi on and Bluetooth off, MC works and I presume either infrastructure wifi (if available) or peer-to-peer wifi are used.
I'm trying to overcome two issues:
Over time (since iOS 9.x), the radio transmit strength for MC over peer-to-peer wifi has decreased to the point that range is unacceptable for our use case. We need at least 150 feet range.
We would like to extend this support to watchOS and the MC framework is not available.
Regarding #1, I'd like to confirm that if infrastructure wifi is available, MC uses it. If infrastructure wifi is not available, MC uses peer-to-peer wifi. If this is true, then we can assure our customers that if infrastructure wifi is available at the venue, then with all devices connected to it, range will be adequate.
If infrastructure wifi is not available at the venue, perhaps a mobile wifi router (battery operated) could be set up, devices connected to it, then range would be adequate. We are about to test this. Reasonable?
Can we be assured that if infrastructure wifi is available, MC uses it?
Regarding #2, given we are targeting minimum watchOS 7.0, would the available networking APIs and frameworks be adequate to implement our own equivalent of the MC framework so our app on iOS/iPadOS and watchOS devices could communicate? How much work? Where would I start? I'm new to implementing networking but experienced in using the MC framework. I'm assuming that I would write the networking code to use infrastructure wifi to achieve acceptable range.
Many thanks!
Tim
Hi.
We are writing to report a critical issue we've encountered following the recent release of iOS 26 beta 6.
After updating our test devices, we discovered that our application is no longer able to establish HTTPS connections to several of our managed FQDNs. This issue was not present in beta 5 and appears to be a direct result of changes introduced in beta 6.
The specific FQDNs that are currently unreachable are:
d.socdm.com
i.socdm.com
tg.scodm.com
We have reviewed the official iOS & iPadOS 26 Beta 6 Release Notes, particularly the updates related to TLS. While the notes mention changes, we have confirmed that our servers for all affected FQDNs support TLS 1.2, so we believe they should still be compliant.
We have also investigated several of Apple's support documents regarding TLS connection requirements (e.g., HT214774, HT214041), but the information does not seem to apply to our situation, and we are currently unable to identify the root cause of this connection failure.
https://support.apple.com/en-us/102028
https://support.apple.com/en-us/103214
Although we hope this issue might be resolved in beta 7 or later, the official release is fast approaching, and this has become a critical concern for us.
Could you please provide any advice or insight into what might be causing this issue? Any guidance on potential changes in the networking or security frameworks in beta 6 that could affect TLS connections would be greatly appreciated.
We have attached the relevant code snippet that triggers the error, along with the corresponding Xcode logs, for your review.
Thank you for your time and assistance.
#import "ViewController.h"
@interface ViewController ()
@end
@implementation ViewController
- (void)viewDidLoad {
[super viewDidLoad];
NSURL *url = [NSURL URLWithString:@"https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js"];
NSMutableURLRequest *req = [NSMutableURLRequest requestWithURL:url
cachePolicy:NSURLRequestReloadIgnoringLocalCacheData
timeoutInterval:30.0];
[self sendWithRequest:req completionHandler:^(NSData *_Nullable data,
NSHTTPURLResponse *_Nonnull response,
NSError *_Nullable error) {
if (error){
NSLog(@"Error occurred: %@", error.localizedDescription);
return;
}else{
NSLog(@"Success! Status Code: %ld", (long)response.statusCode);
}
}];
}
- (void) sendWithRequest:(NSMutableURLRequest *)request
completionHandler:(void (^ _Nullable)(NSData *_Nullable data,
NSHTTPURLResponse *response,
NSError *_Nullable error))completionHandler {
NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];
NSURLSession *session = nil;
session = [NSURLSession sessionWithConfiguration:configuration
delegate:self
delegateQueue:nil];
NSURLSessionTask *task = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
[session finishTasksAndInvalidate];
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
if (error) {
if (completionHandler) {
completionHandler(nil, httpResponse, error);
}
}
else {
if (completionHandler) {
completionHandler(data, httpResponse, nil);
}
}
}];
[task resume];
}
@end
error
Connection 1: default TLS Trust evaluation failed(-9807)
Connection 1: TLS Trust encountered error 3:-9807
Connection 1: encountered error(3:-9807)
Task <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x10621ca00) s: *.socdm.com i: GlobalSign RSA OV SSL CA 2018>",
"<cert(0x106324e00) s: GlobalSign RSA OV SSL CA 2018 i: GlobalSign>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js, NSErrorFailingURLStringKey=https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js, NSUnderlyingError=0x1062bf960 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x10609d140>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x10621ca00) s: *.socdm.com i: GlobalSign RSA OV SSL CA 2018>",
"<cert(0x106324e00) s: GlobalSign RSA OV SSL CA 2018 i: GlobalSign>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1>"
), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x10609d140>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk.}
Error occurred: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk.
折りたたむ
There appears to be some unexplained change in behaviour in the recent version of macos 15.6.1 which is causing the BSD socket sendto() syscall to no longer send the data when the source socket is bound to a IPv4-mapped IPv6 address.
I have attached a trivial native code which reproduces the issue. What this reproducer does is explained as a comment on that code's main() function:
// Creates a AF_INET6 datagram socket, marks it as dual socket (i.e. IPV6_V6ONLY = 0),
// then binds the socket to a IPv4-mapped IPv6 address (chosen on the host where this test runs).
//
// The test then uses sendto() to send some bytes. For the sake of this test, it uses the same IPv4-mapped
// IPv6 address as the destination address to sendto(). The test then waits for (a maximum of) 15 seconds to
// receive that sent message by calling recvfrom().
//
// The test passes on macos (x64 and aarch64) hosts of versions 12.x, 13.x, 14.x and 15.x upto 15.5.
// Only on macos 15.6.1 and the recent macos 26, the test fails. Specifically, the first message that is
// sent using sendto() is never sent (and thus the recvfrom()) times out. sendto() however returns 0,
// incorrectly indicating a successful send. Interesting, if you repeat sendto() a second message from the
// same bound socket to the exact same destination address, the send message is indeed correctly sent and
// received immediately by the recvfrom(). It's only the first message which goes missing (the test uses
// unique content in each message to be sure which exact message was received and it has been observed that
// only the second message is received and the first one lost).
//
// Logs collected using "sudo log collect --last 2m" (after the test program returns) shows the following log
// message, which seem relevant:
// ...
// default kernel cfil_hash_entry_log:6088 <CFIL: Error: sosend_reinject() failed>:
// [86868 a.out] <UDP(17) out so 59faaa5dbbcef55d 127846646561221313 127846646561221313 age 0>
// lport 65051 fport 65051 laddr 192.168.1.2 faddr 192.168.1.2 hash 201AAC1
// default kernel cfil_service_inject_queue:4472 CFIL: sosend() failed 22
// ...
//
As noted, this test passes without issues on various macosx version (12 through 15.5), both x64 and aarch64 but always fails against 15.6.1. I have been told that it also fails on the recently released macos 26 but I don't have access to such host to verify it myself.
The release notes don't usually contain this level of detail, so it's hard to tell if something changed intentionally or if this is a bug. Should I report this through the feedback assistant?
Attached is the source of the reproducer, run it as:
clang dgramsend.c
./a.out
On macos 15.6.1, you will see that it will fail to send (and thus receive) the message on first attempt but the second one passes:
...
created and bound a datagram dual socket to ::ffff:192.168.1.2:65055
::ffff:192.168.1.2:65055 sendto() ::ffff:192.168.1.2:65055
---- Attempt 1 ----
sending greeting "hello 1"
sendto() succeeded, sent 8 bytes
calling recvfrom()
receive timed out
---------------------
---- Attempt 2 ----
sending greeting "hello 2"
sendto() succeeded, sent 8 bytes
calling recvfrom()
received 8 bytes: "hello 2"
---------------------
TEST FAILED
...
The output "log collect --last 2m" contains a related error (and this log message consistently shows up every time you run that reproducer):
...
default kernel cfil_hash_entry_log:6088 <CFIL: Error: sosend_reinject() failed>:
[86248 a.out] <UDP(17) out so 59faaa5dbbcef55d 127846646561221313 127846646561221313 age 0>
lport 65055 fport 65055 laddr 192.168.1.2 faddr 192.168.1.2 hash 201AAC1
default kernel cfil_service_inject_queue:4472 CFIL: sosend() failed 22
...
I don't know what it means though.
dgramsend.c
This is a major issue. After my iPhone 12 Pro was upgraded to iOS 26 beta 6, Apple's official Wi-Fi Aware Sample APP crashed immediately and couldn't be opened. It just force closes.
Has any developer encountered this problem?
The app “Wi-Fi Aware Sample” on Bojie的iPhone quit unexpectedly.
Domain: IDEDebugSessionErrorDomain
Code: 20
Failure Reason: Message from debugger: The LLDB RPC server has crashed. You may need to manually terminate your process. The crash log is located in ~/Library/Logs/DiagnosticReports and has a prefix 'lldb-rpc-server'. Please file a bug and attach the most recent crash log.
User Info: {
DVTErrorCreationDateKey = "2025-09-17 10:26:56 +0000";
IDEDebugSessionErrorUserInfoUnavailabilityError = "Error Domain=com.apple.dt.deviceprep Code=-10 "Fetching debug symbols for Bojie\U7684iPhone" UserInfo={NSLocalizedRecoverySuggestion=Xcode will continue when the operation completes., NSLocalizedDescription=Fetching debug symbols for Bojie\U7684iPhone}";
IDERunOperationFailingWorker = DBGLLDBLauncher;
}
Event Metadata: com.apple.dt.IDERunOperationWorkerFinished : {
"device_identifier" = "00008101-001E29E01E63003A";
"device_isCoreDevice" = 1;
"device_model" = "iPhone13,3";
"device_osBuild" = "26.0 (23A341)";
"device_osBuild_monotonic" = 2300034100;
"device_os_variant" = 1;
"device_platform" = "com.apple.platform.iphoneos";
"device_platform_family" = 2;
"device_reality" = 1;
"device_thinningType" = "iPhone13,3";
"device_transport" = 1;
"dvt_coredevice_version" = "477.23";
"dvt_coredevice_version_monotonic" = 477023000000000;
"dvt_coresimulator_version" = 1043;
"dvt_coresimulator_version_monotonic" = 1043000000000000;
"dvt_mobiledevice_version" = "1818.0.1";
"dvt_mobiledevice_version_monotonic" = 1818000001000000;
"launchSession_schemeCommand" = Run;
"launchSession_schemeCommand_enum" = 1;
"launchSession_targetArch" = arm64;
"launchSession_targetArch_enum" = 6;
"operation_duration_ms" = 1922640;
"operation_errorCode" = 20;
"operation_errorDomain" = IDEDebugSessionErrorDomain;
"operation_errorWorker" = DBGLLDBLauncher;
"operation_error_reportable" = 1;
"operation_name" = IDERunOperationWorkerGroup;
"operation_unavailabilityErrorCode" = "-10";
"operation_unavailabilityErrorDomain" = "com.apple.dt.deviceprep";
"param_consoleMode" = 1;
"param_debugger_attachToExtensions" = 0;
"param_debugger_attachToXPC" = 1;
"param_debugger_type" = 3;
"param_destination_isProxy" = 0;
"param_destination_platform" = "com.apple.platform.iphoneos";
"param_diag_MainThreadChecker_stopOnIssue" = 0;
"param_diag_MallocStackLogging_enableDuringAttach" = 0;
"param_diag_MallocStackLogging_enableForXPC" = 1;
"param_diag_allowLocationSimulation" = 1;
"param_diag_checker_mtc_enable" = 1;
"param_diag_checker_tpc_enable" = 1;
"param_diag_gpu_frameCapture_enable" = 0;
"param_diag_gpu_shaderValidation_enable" = 0;
"param_diag_gpu_validation_enable" = 0;
"param_diag_guardMalloc_enable" = 0;
"param_diag_memoryGraphOnResourceException" = 0;
"param_diag_queueDebugging_enable" = 1;
"param_diag_runtimeProfile_generate" = 0;
"param_diag_sanitizer_asan_enable" = 0;
"param_diag_sanitizer_tsan_enable" = 0;
"param_diag_sanitizer_tsan_stopOnIssue" = 0;
"param_diag_sanitizer_ubsan_enable" = 0;
"param_diag_sanitizer_ubsan_stopOnIssue" = 0;
"param_diag_showNonLocalizedStrings" = 0;
"param_diag_viewDebugging_enabled" = 1;
"param_diag_viewDebugging_insertDylibOnLaunch" = 1;
"param_install_style" = 2;
"param_launcher_UID" = 2;
"param_launcher_allowDeviceSensorReplayData" = 0;
"param_launcher_kind" = 0;
"param_launcher_style" = 99;
"param_launcher_substyle" = 0;
"param_lldbVersion_component_idx_1" = 0;
"param_lldbVersion_monotonic" = 170300230950;
"param_runnable_appExtensionHostRunMode" = 0;
"param_runnable_productType" = "com.apple.product-type.application";
"param_testing_launchedForTesting" = 0;
"param_testing_suppressSimulatorApp" = 0;
"param_testing_usingCLI" = 0;
"sdk_canonicalName" = "iphoneos26.0";
"sdk_osVersion" = "26.0";
"sdk_platformID" = 2;
"sdk_variant" = iphoneos;
"sdk_version_monotonic" = 2300527605;
}
System Information
macOS Version 15.5 (Build 24F74)
Xcode 26.0 (24141.31) (Build 17A5241o)
Timestamp: 2025-09-17T18:26:56+08:00
With Let's Encrypt having completely dropped support for OCSP recently [1], I wanted to ask if macOS has a means of keeping up to date with their CRLs and if so, roughly how often this occurs?
I first observed an issue where a revoked-certificate test site, "revoked.badssl.com" (cert signed by Let's Encrypt), was not getting blocked on any browser, when a revocation policy was set up using the SecPolicyCreateRevocation API, in tandem with the kSecRevocationUseAnyAvailableMethod and kSecRevocationPreferCRL flags.
After further investigation, I noticed that even on a fresh install of macOS, Safari does not block this test website, while Chrome and Firefox (usually) do, due to its revoked certificate. Chrome and Firefox both have their own means of dealing with CRLs, while I assume Safari uses the system Keychain and APIs.
I checked cert info for the site here [2]. It was issued on 2025-07-01 20:00 and revoked an hour later.
[1] https://letsencrypt.org/2024/12/05/ending-ocsp/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=revoked.badssl.com
I am using a custom PAC file in network settings and till now with Sonoma & Sequoia OS, it was working perfectly fine and I was able to redirect traffic to my proxy server.
After upgrading to MacOS Tahoe, this stopped working completely. What is happening now is no url is opening on my machine with Chrome & Firefox browser, but somehoe Safari is working. After checking, I found that my deployed network extension is intercepting traffic and allowing it to pass. But still, the pac file is not working.
Are there any changes done in MacOS Tahoe regarding this PAC file? How can I resolve this issue?
Starting with macOS 15 (Sequoia), applications that perform network discovery operations now trigger a permission prompt: "Allow [AppName] to find devices on local networks".
I am using sysctl() with NET_RT_FLAGS and RTF_LLINFO to access the ARP table and retrieve gateway MAC addresses:
int mib[6];
mib[0] = CTL_NET;
mib[1] = PF_ROUTE;
mib[2] = 0;
mib[3] = AF_INET;
mib[4] = NET_RT_FLAGS;
mib[5] = RTF_LLINFO; // This flag accesses ARP table entries
if (sysctl(mib, 6, buf, &needed, NULL, 0) < 0)
return nil;
From my testing, the Local Network Access prompt does not always appear.
It looks like if the MAC address is already cached in the ARP table, no prompt is shown, and the prompt only appears when the system needs to resolve a new MAC address.
Is this correct behavior?
Does ARP resolution by itself triggering the prompt?
At WWDC 2015 Apple announced two major enhancements to the Network Extension framework:
Network Extension providers — These are app extensions that let you insert your code at various points within the networking stack, including:
Packet tunnels via NEPacketTunnelProvider
App proxies via NEAppProxyProvider
Content filters via NEFilterDataProvider and NEFilterControlProvider
Hotspot Helper (NEHotspotHelper) — This allows you to create an app that assists the user in navigating a hotspot (a Wi-Fi network where the user must interact with the network in order to get access to the wider Internet).
Originally, using any of these facilities required authorisation from Apple. Specifically, you had to apply for, and be granted access to, a managed capability. In Nov 2016 this policy changed for Network Extension providers. Any developer can now use the Network Extension provider capability like they would any other capability.
There is one exception to this rule: Network Extension app push providers, introduced by iOS 14 in 2020, still requires that Apple authorise the use of a managed capability. To apply for that, follow the link in Local push connectivity.
Also, the situation with Hotspot Helpers remains the same: Using a Hotspot Helper, requires that Apple authorise that use via a managed capability. To apply for that, follow the link in Hotspot helper.
IMPORTANT Pay attention to this quote from the documentation:
NEHotspotHelper is only useful for hotspot integration. There are
both technical and business restrictions that prevent it from being
used for other tasks, such as accessory integration or Wi-Fi based
location.
The rest of this document answers some frequently asked questions about the Nov 2016 change.
#1 — Has there been any change to the OS itself?
No, this change only affects the process by which you get the capabilities you need in order to use existing Network Extension framework facilities. Previously these were managed capabilities, meaning their use was authorised by Apple. Now, except for app push providers and Hotspot Helper, you can enable the necessary capabilities using Xcode’s Signing & Capabilities editor or the Developer website.
IMPORTANT Some Network Extension providers have other restrictions on their use. For example, a content filter can only be used on a supervised device. These restrictions are unchanged. See TN3134 Network Extension provider deployment for the details.
#2 — How exactly do I enable the Network Extension provider capability?
In the Signing & Capabilities editor, add the Network Extensions capability and then check the box that matches the provider you’re creating.
In the Certificates, Identifiers & Profiles section of the Developer website, when you add or edit an App ID, you’ll see a new capability listed, Network Extensions. Enable that capability in your App ID and then regenerate the provisioning profiles based on that App ID.
A newly generated profile will include the com.apple.developer.networking.networkextension entitlement in its allowlist; this is an array with an entry for each of the supported Network Extension providers. To confirm that this is present, dump the profile as shown below.
$ security cms -D -i NETest.mobileprovision
…
<plist version="1.0">
<dict>
…
<key>Entitlements</key>
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>content-filter-provider</string>
<string>app-proxy-provider</string>
… and so on …
</array>
…
</dict>
…
</dict>
</plist>
#3 — I normally use Xcode’s Signing & Capabilities editor to manage my entitlements. Do I have to use the Developer website for this?
No. Xcode 11 and later support this capability in the Signing & Capabilities tab of the target editor (r. 28568128 ).
#4 — Can I still use Xcode’s “Automatically manage signing” option?
Yes. Once you modify your App ID to add the Network Extension provider capability, Xcode’s automatic code signing support will include the entitlement in the allowlist of any profiles that it generates based on that App ID.
#5 — What should I do if I previously applied for the Network Extension provider managed capability and I’m still waiting for a reply?
Consider your current application cancelled, and use the new process described above.
#6 — What should I do if I previously applied for the Hotspot Helper managed capability and I’m still waiting for a reply?
Apple will continue to process Hotspot Helper managed capability requests and respond to you in due course.
#7 — What if I previously applied for both Network Extension provider and Hotspot Helper managed capabilities?
Apple will ignore your request for the Network Extension provider managed capability and process it as if you’d only asked for the Hotspot Helper managed capability.
#8 — On the Mac, can Developer ID apps host Network Extension providers?
Yes, but there are some caveats:
This only works on macOS 10.15 or later.
Your Network Extension provider must be packaged as a system extension, not an app extension.
You must use the *-systemextension values for the Network Extension entitlement (com.apple.developer.networking.networkextension).
For more on this, see Exporting a Developer ID Network Extension.
#9 — After moving to the new process, my app no longer has access to the com.apple.managed.vpn.shared keychain access group. How can I regain that access?
Access to this keychain access group requires another managed capability. If you need that, please open a DTS code-level support request and we’ll take things from there.
IMPORTANT This capability is only necessary if your VPN supports configuration via a configuration profile and needs to access credentials from that profile (as discussed in the Profile Configuration section of the NETunnelProviderManager Reference). Many VPN apps don’t need this facility.
Opening a DTS tech support incident (TSI) will consume a TSI asset. However, as this is not a technical issue but an administrative one, we’ll assign a replacement TSI asset back to your account.
If you were previously granted the Network Extension managed capability (via the process in place before Nov 2016), make sure you mention that; restoring your access to the com.apple.managed.vpn.shared keychain access group should be straightforward in that case.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Revision History
2025-09-12 Adopted the code-level support request terminology. Made other minor editorial changes.
2023-01-11 Added a discussion of Network Extension app push providers. Added a link to Exporting a Developer ID Network Extension. Added a link to TN3134. Made significant editorial changes.
2020-02-27 Fixed the formatting. Updated FAQ#3. Made minor editorial changes.
2020-02-16 Updated FAQ#8 to account for recent changes. Updated FAQ#3 to account for recent Xcode changes. Made other editorial changes.
2016-01-25 Added FAQ#9.
2016-01-6 Added FAQ#8.
2016-11-11 Added FAQ#5, FAQ#6 and FAQ#7.
2016-11-11 First posted.
Please ask Apple to provide an interface for sending follow-ups like Samsung's WiFi Aware.