TLS For Accessory Developers: does it work for non-local network?

I'm following the approach in https://developer.apple.com/forums/thread/703234 section "Doing Even Better: Proper Security".

My question is: does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

I tried and: SecTrustEvaluateWithError(trust, nil) returns true, but TLS still fails:

ATS failed system trust
Connection 1: system TLS Trust evaluation failed(-9802)

<snip>

Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,

Here is my code :

        var err = SecTrustSetPolicies(trust, SecPolicyCreateBasicX509())
        os_log("SecTrustSetPolicies returns \(err)")
        err = SecTrustSetAnchorCertificates(trust, [self.myCA] as NSArray)
        os_log("SecTrustSetAnchorCertificates returns \(err)")
        err = SecTrustSetAnchorCertificatesOnly(trust, true)
        os_log("SecTrustSetAnchorCertificatesOnly returns \(err)")

        // check the trust object
        let evalResult = SecTrustEvaluateWithError(trust, nil)
        os_log("SecTrust eval result: \(evalResult)")
        
        // create a credential with accepted server trust.
        let credential = URLCredential(trust: trust)
        completionHandler(.useCredential, credential)

the logs are:

SecTrustSetPolicies returns 0
SecTrustSetAnchorCertificates returns 0
SecTrustSetAnchorCertificatesOnly returns 0
SecTrust eval result: true

Did I do anything wrong? or is it not supported outside the local network?

Thanks.

Answered by DTS Engineer in 785038022

does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

Sure. There’s nothing specific to the local network about that technique.

One thing to be careful of here is ATS, which has different options for disabling it locally versus non-locally. And this log message:

ATS failed system trust

suggests that you do indeed have an ATS issue.

can I opt to connect to the server anyway programmatically?

Yes. But you need to disable ATS and you need to override the default server trust evaluation done by URLSession.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Another question I have is: based on NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway? , can I opt to connect to the server anyway programmatically?

Accepted Answer

does it work if the accessory is not in the local network (i.e. out there on the Internet with an IP address) ?

Sure. There’s nothing specific to the local network about that technique.

One thing to be careful of here is ATS, which has different options for disabling it locally versus non-locally. And this log message:

ATS failed system trust

suggests that you do indeed have an ATS issue.

can I opt to connect to the server anyway programmatically?

Yes. But you need to disable ATS and you need to override the default server trust evaluation done by URLSession.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

TLS For Accessory Developers: does it work for non-local network?
 
 
Q