Description:
I'm encountering an SSL error (error code: -1200) when trying to establish a secure connection in my app. This issue only occurs when the network signal is low on Airtel. The connection works fine on a normal network signal.
Here are the details:
Device: iPhone 11
iOS Version: 17.2.1
Network Provider: Airtel
Error Message: An SSL error has occurred and a secure connection to the server cannot be made. Error code: -1200
Tried different network settings and Observed the issue only on low network signal.
Any insights or suggestions to resolve this issue would be greatly appreciated. Thank you!
Network
RSS for tagNetwork connections send and receive data using transport and security protocols.
Posts under Network tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
We are using the Network framework to open TLS listener on the network and set options this way:
configure_tls = ^(nw_protocol_options_t tls_options) {
sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
sec_identity_t sec_identity=sec_identity_create(identity);
sec_protocol_options_set_local_identity(sec_options, sec_identity);
sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12);
sec_options=nil;
};
This works fine; however, the listener's TLS negotiation only returns the certificate, not the trust chain. We have a requirement from a government agency to return the trust chain:
"In addition to the certificate itself, you should provide a “chain” of intermediate certificates that give the connecting browser or client enough information to connect the certificate to a trusted root certificate.
Failing to provide intermediates could prevent various browsers and clients from successfully connecting to your service, especially mobile browsers and non-browser clients (such as cURL, and tools based on libcurl).
Some browsers will cache intermediates from a previous connection or attempt to automatically download missing intermediates that are presented in a certificate’s Authority Information Access (https://tools.ietf.org/html/rfc5280#section-4.2.2.1) extension, and so it can be easy to miss this problem during initial configuration. Though most browsers have an option to inspect the certificates on a site, they vary in whether they show the exact certificates the server presented or a chain as reconstructed through the fetching of an intermediate listed in the AIA extension.
In general:
You do not need to serve the trusted root that the certificate chains to. The client will compare the chain to a local root store, so serving the root will only waste bytes and slow the connection.
You do need to serve any intermediate certificates that connect your web server certificate to the trusted root. Doing so removes the potential for problems caused by the variation in how clients facilitate trust verification."
Is there a way to provide the chain of trust in the TLS options? I could not find any way to do this.
We have an implementation in which we use QUIC via a connection group, server are client are on Swift using the Network framework.
Our use case is, the server should send data buffers to the client as fast and as much as possible, now the pace to call the send method from the server should be carefully done, because if we send too much data of course the client is not gonna be able to receive it.
The question would be, is there a way to query the congestion window so we know on the server side, how much data we should be able to send at some point? Asking because we are not getting all the data we are sending from the server on our client side...
We are using these settings:
let options = NWProtocolQUIC.Options(alpn: ["h3"])
options.direction = .bidirectional
//
options.idleTimeout = 86_400_000
options.maxUDPPayloadSize = Int.max
options.initialMaxData = Int.max
options.initialMaxStreamDataBidirectionalLocal = Int.max
options.initialMaxStreamDataBidirectionalRemote = Int.max
options.initialMaxStreamDataUnidirectional = Int.max
options.initialMaxStreamsBidirectional = 400
options.initialMaxStreamsUnidirectional = 400
Questions:
1.- Can we get a little more detail in above options, specifically on their impact to the actual connection?
2.- IsinitialMaxData the actual congestion window value
3.- Are we missing something or making incorrect assumptions?
Thanks in advance.
I developed a iOS App, this App need to visit a local url. It can visit the url on iPhone 13 (iOS 15.4) and iPhone 14 Plus (iOS 16.5.1), but it can not visit the same url on iPhone 6s(iOS 15.8.1).
The error message is 'NSURLErrorDomain Code=-1009'.
1). The url can be visited by Safari on iPhone 6s, so the network of iPhone 6s is fine.
2). The Local Network has enabled in the APP settings.
3). I notice that in iPhone Settings -> WLAN -> Apps Using WLAN & Cellular, my App information can be found on iPhone 13 and iPhone 14 Plus, and can not find my App information on iPhone 6s.
How should I troubleshoot this issue? Thanks you!
Follows are full error message.
2024-02-08 17:49:39.706240+0800 AstroeyeWiFi[1186:114419] Task .<8> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x280715c20 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorNWPathKey=unsatisfied (Denied over Wi-Fi interface), interface: en0, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<8>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask .<8>"
), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=http://192.168.0.1:50628/form/getDeviceId, NSErrorFailingURLKey=http://192.168.0.1:50628/form/getDeviceId, _kCFStreamErrorDomainKey=1}
[DNO][getDeviceSysId][Error] underlying(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x280715c20 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorNWPathKey=unsatisfied (Denied over Wi-Fi interface), interface: en0, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask .<8>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask .<8>"
), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=http://192.168.0.1:50628/form/getDeviceId, NSErrorFailingURLKey=http://192.168.0.1:50628/form/getDeviceId, _kCFStreamErrorDomainKey=1}), nil)
I want to extend an existing macOS app distributed through the Mac App Store with the capability to track the Wi-Fi's noise and signal strength along with the SSID it is connected to over time.
Using CWWiFiClient.shared().interface(), I can get noiseMeasurement() and rssiValue() fine, but ssid() always returns nil.
I am assuming this is a privacy issue (?).
Are there specific entitlements I can request or ways to prompt the user to grant the app privilege to access the SSID values?
In some cases the user connects to a WiFi network that doesn't have internet access. The OS itself is able to display a warning in System Settings:
However, in my app NWPathMonitor reports that the WiFi path is satisfied.
How could I detect that the internet access is not working while WiFi is connected?
I could try to connect to my own servers and report failures to the user, but that takes a long time to receive the timeout error. I cannot reduce the timeout, because maybe the user is on a very slow network and long loading time might be expected. But iOS can detect that there is not internet within a few seconds and display a warning, so I wonder how does Apple implement it in System Settings and if there is something I can implement in my app.
I am using NWconnection to force some requests to go through cellular data. Everything works fine, except I keep calling connection.receive and don't know when the transfer is complete.
// Setting up the connection:
let tcpOptions = NWProtocolTCP.Options()
let parameters = NWParameters(tls: .init(), tcp: tcpOptions)
parameters.requiredInterfaceType = .cellular
port = port ?? NWEndpoint.Port(443)
// ...
NWConnection(to: .hostPort(host: NWEndpoint.Host(host),port: port), using: parameters)
// Receiving data once the connection is ready
func receive(withConnection connection: NWConnection, completion: @escaping dataCompletion) {
connection.receive(minimumIncompleteLength: 1, maximumLength: Int.max) { [self] data, contentContext, isComplete, error in
if let data = data {
receivedData.append(data)
print(contentContext)
if isComplete || error != nil || connection.state != .ready {
cancelConnection(connection)
} else {
processor?.receive(withConnection: connection, completion: completion)
}
} else {
cancelConnection(connection)
}
}
}
I am consuming regular HTTP endpoints. The data in receive comes in chunks but isComplete parameter never becomes true, so I don't know when to stop and send the complete receivedData back.
I've thought of adding a timeout, but it seems kind of hacky. Is there a better solution?
Hi. I'm trying to run tunnel_server from https://github.com/networkextension/SimpleTunnel sample on macOS Sonoma. Delegate's method netServiceWillPublish is called, but neither netServiceDidPublish nor netService(didNotPublish) are not.
Firewall is enabled, incoming connections to the tunnel_server app are allowed.
The app is not sandboxed and signed to run locally.
When running the app, Allow Connections prompt pops up which is allowed.
Looking into making requests using URLSession via a proxy, on watchOS, and found that in URLSessionConfiguration, there's a proxyConfigurations property.
However, since ProxyConfiguration is part of the Network framework, does it means that TN3135 low level networking rules also applies in this case?
Hello,
I am curious about possibilities and implementing WiFi scanning functionality in iOS apps, in relation to the concept of Remote ID for unmanned aircraft systems (UAS). Remote ID refers to the ability to identify and locate UAS while they are flying, for example using a smartphone. UAS broadcast e.g. location, speed, the id of the operator, height, and other information. Information is encoded into Bluetooth or Wi-Fi advertisements.
I am developing an iOS application for the purpose of collecting data called DroneScanner. It scans for nearby RemoteID packets transfered using Bluetooth and Wi-Fi. I was able to implement Bluetooth scans using CoreBluetooth API but I did not find a way to implement Wi-Fi scanning. It is crucial for our users to be able to use Wi-Fi scans because it is one of the methods in the Remote ID standard and we also get negative reviews for missing it.
I would need to access a list of Wi-Fi points that are visible from the device and also the raw content of the advertisements so I can parse them into Remote ID packets. I am also interested in understanding any limitations or restrictions regarding access to WiFi network information, as well as any recommended approaches for adhering to Apple's guidelines and policies.
Do I need to enroll in any developer program? Would the NEHotspotHelper be useful in my use case?
Thanks
I am building a feature in my iOS app, I need to get list of nearby networks and the strength, frequency of each one.
how can I achieve this? is there any public api I can use to achieve this?
Since my question exceeds 700 words, please check it in the attachment. Thank you!
Question
We have been observing an issue where when binding a UDP socket to an ephemeral port (i.e. port 0), the OS ends up allocating a port which is already bound and in-use. We have been seeing this issue across all macos versions we have access to (10.x through recent released 13.x).
Specifically, we (or some other process) create a udp4 socket bound to wildcard and ephemeral port. Then our program attempts a bind on a udp46 socket with ephemeral port. The OS binds this socket to an already in use port, for example you can see this netstat output when that happens:
netstat -anv -p udp | grep 51630
udp46 0 0 *.51630 *.* 786896 9216 89318 0 00000 00000000 00000000001546eb 00000000 00000800 1 0 000001
udp4 0 0 *.51630 *.* 786896 9216 89318 0 00000 00000000 0000000000153d9d 00000000 00000800 1 0 000001
51630 is the (OS allocated) port here, which as you can see has been allocated to 2 sockets. The process id in this case is the same (because we ran an explicit reproducer to reproduce this), but it isn't always the case.
We have a reproducer which consistenly shows this behaviour. Before filing a feedback assistant issue, I wanted to check if this indeed appears to be an issue or if we are missing something here, since this appears to be a very basic thing.
If "send and receive" on imessages has my Microsoft work email address, can my imessage content be synched with Microsoft ?
Because I recently logged into our big data system through SSH client using my work email address, on a Console I saw one of my imessage thread printed.
I reached Microsoft and their reply was to get advise reaching out to Apple support as their knowledge of iMessage is limited. Based on general knowledge about data protection the messages are most likely not synced unless there is a setting that you can allow from my side.
PLEASE HELP ! This is a Mystery !!
Hi all,
Currently working on a shareplay feature where users pull data from a remote source and are able to share it in a volumetric window with others in the facetime call. However, I am running into an issue where the group activity/session seems to be throwing an error on the recipient of the journal's attachment with the description of notSupported.
As I understand it, we use GroupSessionJournal for larger pieces of data like images (like in the Drawing Together example) and in my case 3d models.
The current flow goes as follows:
User will launch the app and fetch a model from remote.
User can start a shareplay instance in which the system captures the volumetric window for users to join and see.
At this point, only the original user can see the model. The user can press a button to share this model with the other participants using
/// modelData is serialized `Data`
try await journal.add(modelData)
In the group session configuration, I already have a task listening for
for await attachments in journal.attachments {
for attachment in attachments { ... }
}
This task attempts to load data via the following code:
let modelData = try await attachment.load(Data.self) /// this is where the error is thrown: `notSupported`
I expect the attachment.load(Data.self) call to properly deliver the model data, but instead I am receiving this error.
I have also attempted to wrap the model data within an enclosing struct that has a name and data property and conform the enclosing struct to Transferable but that continued to throw the notSupported error.
Is there something I'm doing wrong or is this simply a bug in the GroupSessionJournal? Please let me know if more information is required for debugging and resolution.
Thanks!
After downloading the Testflight app, the iPhone 15 Pro Max 17.5.1 phone cannot use multicast function, but it can be used normally after restarting the phone. There will be problems with reinstalling and restarting the app. But there are no issues with other phones or system versions. May I ask if this is a defect in the 17.5.1 system?
Hi! I have been working on one idea for a while but can't figure out the proper way to do that. My app includes Content Filter and DNSProxy providers for filtering logic. And for the NEFilterSocketFlow everything works well, because the connection is first handled from DNSProxy and if it's blocked, NEFilterDataProvider returns datagrams that I wrote from DNSProxy (I return nxdomain). However, for NEFilterBrowserFlow it doesn't work, because webkit generated flows are for some reason intercepted by Content Filter first and at the time when the flow is checked for rules, there're none yet as DNSProxy didn't handle connection yet.
So the app returns the following behaviour:
In case the requested domain is not filtered by DNSProxy, the user is able to visit requested page, but if it's filtered, the flow just freezes and the page will never load for user. But I wanted to add proper handling and display block page.
In case I am using some third-party apps for testing like ICS Dig, filtered domains return nxdomain properly.
Not sure if there's a way to achieve desired result, but would be very grateful for any suggestions
Hello,I have a local WebSocket server running inside an iOS app on iOS 13+. I'm using Swift NIO Transport Services for the server.I'm using NWProtocolTLS.Options from Network framework to specify TLS options for my server.I am providing my server as an XCFramework and want to let users to be able to specify different parameters when launching the server.For specifiying the TLS supported version, everything is working fine by using :public func sec_protocol_options_set_max_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)
public func sec_protocol_options_set_min_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)But I also want to be able to specify some cipher suites. I saw that I can use :public func sec_protocol_options_append_tls_ciphersuite(_ options: sec_protocol_options_t, _ ciphersuite: tls_ciphersuite_t)But it seems that some cipher suites are enabled by default and I can't restrict the cipher suites just to the ones I want, I can just append others.NWProtocolTLS.Options class has an init() function which states "Initializes a default set of TLS connection options" on Apple documentation.So my question is, is there a way to know what TLS parameters this initialization does ? Especially the list of cipher suites enabled by default ? Because I can't find any information about it from my research. I used a tool to test handshake with my server to discover the cipher suites supported and enabled by default but I don't think it is a good way to be sure about this information.And is there a way to specify only cipher suites I want to be supported by my server by using NWProtocolTLS.Options ?Thank you in advance,Christophe
$ tccutil reset All
This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission.
OS: macOS 15.0
Since the release of macOS 14.0, we have encountered issues with the Content Filtering MDM Payload. This problem is unusual but can be resolved by restarting the system.
Prerequisites:
macOS 14 or higher
Any Mac with a Silicon (ARM) processor
Restrictions Payload and Parental Content Filtering Payload must be installed on the device, either manually or through any MDM service
Issue Details:
When the Parental Content Filtering Payload is removed after installation, it causes internet issues, and browsers display "The site can't be reached".
This affects applications as well, with Safari being the only application that continues to work.
The issue can be resolved by either re-adding the Content Filtering Payload or restarting the Mac.
Links:
Restriction Payload: https://drive.google.com/file/d/1buwLFgbjTRXij9ZSv1QrDeRnWbFfKNtq/view?usp=drive_link
Content Filtering Payload: https://drive.google.com/file/d/1eAJiBg4N__dML65MRDH7hYCocuTqOCcu/view?usp=drive_link
System Logs: https://drive.google.com/drive/folders/1hKKNAoMn_4x1CqMTxz1bPrUucCbftjO9?usp=drive_link
Screen Recording: https://drive.google.com/file/d/1uS8CJqe9p9DG9XzhUnIsY35eme4Dxs60/view?usp=drive_link