Reputation: 22252
How to create iOS NWConnection for TLS with self signed cert?
I'm trying to use Apple's new NWConnection class for my MQTT client. For testing, I need to be able to create a TLS connection to my local test broker, which has a self signed cert.
So far, I'm just setting up the connection using:
self.connection = NWConnection(host: NWEndpoint.Host("172.16.202.172"), port: NWEndpoint.Port(integerLiteral: 8899), using: .tls)
But when I connect, I get the following spewage on my console:
2019-01-30 17:05:51.010580-0800 myAp[2591:608137] [] nw_socket_handle_socket_event [C4.1:1] Socket SO_ERROR [54: Connection reset by peer]
2019-01-30 17:05:57.939157-0800 myApp[2591:608135] [BoringSSL] boringssl_context_alert_callback_handler(3724) [C5:1][0x103e087d0] Alert level: fatal, description: certificate unknown
2019-01-30 17:05:57.939382-0800 myApp[2591:608135] [BoringSSL] boringssl_context_error_print(3676) boringssl ctx 0x282226af0: 4360838776:error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.230.1/ssl/handshake.cc:360:
2019-01-30 17:05:57.939510-0800 myApp[2591:608135] [BoringSSL] boringssl_context_get_error_code(3560) [C5:1][0x103e087d0] SSL_AD_CERTIFICATE_UNKNOWN
In the past, when I've used URLSession.shared.dataTask to download a file from an nginx https server, I've added the following to my info.plist
<dict>
<key>App Transport Security Settings</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>172.16.202.172</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionsAllowsInsecureHTTPSLoads</key>
<true/>
</dict>
</dict>
</dict>
</dict>
But that doesn't seem to have done the trick in this case. When I click on Apple's documentation links for things like NWParameter to pass in place of the stock .tls, thinking I could tune the xls settings, there's just no info in the Apple docs.
So what is the right way to create a NWConnection for TLS communication using self signed certs?
Upvotes: 3
Views: 3060
Answers (1)
Reputation: 22252
I am not sure if this is the complete/best answer, but I found this approach on the Apple Developer forums:
func createTLSParameters(allowInsecure: Bool, queue: DispatchQueue) -> NWParameters {
let options = NWProtocolTLS.Options()
sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
var error: CFError?
if SecTrustEvaluateWithError(trust, &error) {
sec_protocol_verify_complete(true)
} else {
if allowInsecure == true {
sec_protocol_verify_complete(true)
} else {
sec_protocol_verify_complete(false)
}
}
}, queue)
return NWParameters(tls: options)
}
self.workQueue = DispatchQueue(label: "mqtt")
self.connection = NWConnection(
host: NWEndpoint.Host("172.16.202.172"),
port: NWEndpoint.Port(integerLiteral: 8899),
using: createTLSParameters(allowInsecure: true, queue: self.workQueue))
Using this technique, I didn't need the info.plist change at all.
There's some indication on said forum that it is preferrable to pull the self signed cert into your iOS box somehow.
Upvotes: 2
Related Questions
- NWConnection using TLS fails in Swift
- NSURLSession + server with self signed cert
- Use a self-signed ssl certificate in an iphone app
- How to use NSURLConnection to connect with SSL for an untrusted cert?
- Https iOS with self signed certificate
- Create SSL connection using certificate
- iOS and SSL: Unable to validate self-signed server certificate
- Handling self signed certificates with NSURLConnection
- In iOS, how to connect to a server using https with self-signed certificate on the server?
- How can I accept self-signed server certificates from a whitelist in iOS?