Hello Quinn, I am Piotr and I work with aurion on this issue. Do you have any suggestions, what we can try to do/what data we should provide to move forward with this issue?

Hi! As requested I tried to implement the same scenario with NSUrlSession. It also does not work. As soon as I enable HTTPS proxy, I am not receiving neither didReceiveChallenge calls, nor completion handler. Without proxy configuration I am receiving didReceiveChallenge and I can continue. NSURLSessionConfiguration *config = [NSURLSessionConfiguration ephemeralSessionConfiguration]; NSDictionary *proxyDict = @{ (NSString *)kCFNetworkProxiesHTTPEnable: @YES, (NSString *)kCFNetworkProxiesHTTPProxy : GetHost(), (NSString *)kCFNetworkProxiesHTTPPort : GetPort(), @"HTTPSEnable" : @YES, @"HTTPSProxy": GetHost(), @"HTTPSPort": GetPort(), }; config.connectionProxyDictionary = proxyDict; NSURLSession *session = [NSURLSession sessionWithConfiguration:config delegate:self delegateQueue:[NSOperationQueue mainQueue]]; NSURLRequest *request1 = [NSURLRequest requestWithURL:[NSURL URLWithString:@"https://api.ipify.org"]]; NSURLSessionDataTask *task = [session dataTaskWithRequest:request1 completionHandler: ^(NSData *data, NSURLResponse *response, NSError *error) { if (error) { NSLog(@"Failed === Response:%@ %@\n", response, error); } NSString* newStr = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; NSLog(@"%@",newStr); }]; [task resume]; delegates: - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential * _Nullable))completionHandler { NSLog(@"%s",__func__); completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); } - (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (NS_SWIFT_SENDABLE ^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler { NSLog(@"%s",__func__); completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); } I also had a look on a proxy configuration, and I believe that we should use relays as @auorion posted. Documentation for http_connect proxy says: Creates a legacy HTTP CONNECT proxy configuration for a proxy server accessible using HTTP/1.1. This proxy will only relay TCP connections. In our case we use HTTP/2 CONNECT proxy. Still in both cases I am not receiving any challenge calls, just direct didFailProvisionalNavigation call with Error Domain=NSURLErrorDomain Code=-1202 error

Interesting, I see now documentation for this method, but my compiler does not see it: Property 'proxyConfigurations' not found on object of type 'NSURLSessionConfiguration *' I am using a framework for iOS 17.5 EDIT: I see that I need #import <Network/NSURLSession+Network.h>

Ok, I tested this with the new API and it seems to be working fine. I received callbacks in sec_protocol_options_set_challenge_block and sec_protocol_options_set_verify_block blocks, and later receive a proper error (as I did not provide certificate): So for NSUrlSession the code seems to work. The same configuration for WKWebkit - fails Log: Inside of challenge block Inside of challenge block boringssl_context_handle_fatal_alert(2072) [C1.1.1.1.1.1:2][0x107006120] read alert, level: fatal, description: certificate required [C1.1.1.1:3] Connection disconnected from api.ipify.org:443 without a reply [C1.1.1.1:3] Cannot report error 1200, no proxy agent boringssl_session_handshake_error_print(44) [C1.1.1.1.1.1:2][0x107006120] Error: 4361061696:error:1000045c:SSL routines:OPENSSL_internal:TLSV1_CERTIFICATE_REQUIRED:/Library/Caches/com.apple.xbs/Sources/boringssl_Sim/ssl/tls_record.cc:592:SSL alert number 116 Connection 1: received failure notification Connection 1: failed to connect 3:-9829, reason -1 Connection 1: encountered error(3:-9829) Task <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1> HTTP load failed, 0/0 bytes (error code: -1206 [3:-9829]) Task <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1> finished with error [-1206] Error Domain=NSURLErrorDomain Code=-1206 "The server “api.ipify.org” requires a client certificate." UserInfo={_kCFStreamErrorCodeKey=-9829, NSUnderlyingError=0x600000c705a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1206 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9829, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9829, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1>" ), NSLocalizedDescription=The server “api.ipify.org” requires a client certificate., NSErrorFailingURLStringKey=https://api.ipify.org/, NSErrorFailingURLKey=https://api.ipify.org/, _kCFStreamErrorDomainKey=3} Failed === Response:(null) Error Domain=NSURLErrorDomain Code=-1206 "The server “api.ipify.org” requires a client certificate." UserInfo={_kCFStreamErrorCodeKey=-9829, NSUnderlyingError=0x600000c705a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1206 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9829, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9829, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <38AFAEA1-DE06-4D54-8F8F-7BEC9C2931E0>.<1>" ), NSLocalizedDescription=The server “api.ipify.org” requires a client certificate., NSErrorFailingURLStringKey=https://api.ipify.org/, NSErrorFailingURLKey=https://api.ipify.org/, _kCFStreamErrorDomainKey=3}

Hi! We finally filled the bug here: https://bugs.webkit.org/show_bug.cgi?id=293611