Recently, my application was having trouble sending udp messages after it was reinstalled. The cause of the problem was initially that I did not grant local network permissions when I reinstalled, I was aware of the problem, so udp worked fine after I granted permissions. However, the next time I repeat the previous operation, I also do not grant local network permissions, and then turn it back on in the Settings, and udp does not work properly (no messages can be sent, the system version and code have not changed). Fortunately, udp worked after rebooting the phone, and more importantly, I was able to repeat the problem many times. So I want to know if the process between when I re-uninstall the app and deny local network permissions, and when I turn it back on in Settings, is that permissions have been granted normally, and not fake, and not required a reboot to reset something for udp to take effect. I'm not sure if it's the system, or if it's a similar situation as described here, hopefully that will help me find out

Device: iPhone 17 Series System: iOS 26.0.0 Wi-Fi: TKIP encryption protocol Question: Unable to join the network We have several products that are used by connecting to iPhone via Wi-Fi. Recently, many customers who have purchased the iPhone 17 series have reported that they are unable to connect to Wi-Fi. For Wi-Fi with TKIP encryption, after entering the password correctly to connect to the Wi-Fi, a pop-up appears stating "Unable to join the network.". Only Wi-Fi with WPA2-AES can be used normally. Before that, during the iPhone 11 era or even earlier, the TKIP encryption method was in normal use. However, the new iPhone models were incompatible with it, which obviously caused great inconvenience. I hope the engineers can fix this issue to support Wi-Fi with older encryption protocols.

I've implemented a custom VPN system extension for macOS, utilizing Packet Tunnel Provider. One of the users reported a problem: he was connected to the VPN, and then his Mac entered sleep mode. Upon waking, the VPN is supposed to connect automatically (because of the on-demand rules). The VPN's status changed to 'connecting', but it remained stuck in this status. From my extension logs, I can see that the 'startTunnelWithOption()' function was called 2 minutes after the user clicked the 'connect' button. From the system logs, I noticed some 'suspicious' logs, but I can't be sure if they are related to the problem. Some of them are: kernel: (Sandbox) Sandbox: nesessionmanager(562) deny(1) system-fsctl (_IO "h" 47) entitlement com.apple.developer.endpoint-security.client not present or not true (I don't need this entitlement at the extension) nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:XXXXXX(null)]: Skip a start command from YYYYY:session in state connecting NetworkExtension.com.***: RunningBoard doesn't recognize submitted process - treating as a anonymous process sysextd: activateDecision found existing entry of same version: state activated_enabled, ID FAE... Are any of the logs related to the above problem? How can I debug such issues? What info should I get from the user?

iOS 18.4 introduced some requirements on the Key Usage of 802.1x server certificates, as described here. https://support.apple.com/en-us/121158 When using TLS_ECDHE_RSA or TLS_DHE_RSA cipher suites, 802.1X server certificates containing a Key Usage extension must have Digital Signature key usage set. When using the TLS_RSA cipher suite, 802.1X server certificates containing a Key Usage extension must have Key Encipherment key usage set. It reads like the change is supposed to affect 802.1x only. However, we have found out that the new restrictions are actually imposed on all TLS connections using the Network framework, including in Safari. Unlike other certificate errors which can be either ignored by users (as in Safari) or by code (via sec_protocol_options_set_verify_block), these new ones can't. Even if passing completion(true) in the TLS verification block, the connection still ends up in waiting state with error -9830: illegal parameter. I understand that these requirements are valid ones but as a generic TLS library I also expect that Network framework could at least allow overriding the behavior. The current treatment is not consistent with those on other certificate errors. Since I can't upload certificates, here is how to reproduce a certificate that fails. Create a OpenSSL config file test.cnf [ req ] default_bits = 2048 distinguished_name = dn x509_extensions = v3_ca prompt = no [ dn ] CN = example.com [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:TRUE keyUsage = critical, keyCertSign, cRLSign Generate certificate and private key openssl req -x509 -new -nodes -keyout key.pem -out cert.pem -days 365 -config test.cnf And here is the client code to test. // Target server and port let host = NWEndpoint.Host("example.com") let port = NWEndpoint.Port("443")! // Configure insecure TLS options let tlsOptions = NWProtocolTLS.Options() sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { _, _, completion in // Always trust completion(true) }, DispatchQueue.global()) let params = NWParameters(tls: tlsOptions) let connection = NWConnection(host: .init(host), port: .init(rawValue: port)!, using: params) connection.stateUpdateHandler = { newState in switch newState { case .ready: print("TLS connection established") case .failed(let error): print("Connection failed: \(error)") case .cancelled: print("Connection canceled") case .preparing: print("Connection preparing") case .waiting(let error): print("Connection waiting: \(error)") case .setup: print("Connection setup") default: break } } connection.start(queue: .global()) Output Connection preparing Connection waiting: -9830: illegal parameter Previously reported as FB17099740

Hi, I have a VPN product for macOS. When activated, it creates a virtual interface that capture all outgoing traffic for the VPN. the VPN encrypt it, and send it to the tunnel gateway. The gateway then decapsulates the packet and forwards it to the original destination. To achieve this, The vpn modifies the routing table with the following commands: # after packets were encoded with the vpn protocol, re-send them through # the physical interface /sbin/route add -host <tunnel_gateway_address_in_physical_subnet> <default_gateway> -ifp en0 > /dev/null 2>&1 # remove the default rule for en0 and replace it with scoped rule /sbin/route delete default <default_gateway> -ifp en0 > /dev/null 2>&1 /sbin/route add default <default_gateway> -ifscope en0 > /dev/null 2>&1 # create new rule for the virtual interface that will catch all packets # for the vpn /sbin/route add default <tunnel_gateway_address_in_tunnel_subnet> -ifp utunX > /dev/null 2>&1 This works in most cases. However, there are scenarios where the VPN process may crash, stop responding, or another VPN product may alter the routing table. When that happens, packets may no longer go out through the correct interface. Question: Is there a way to reliably reconstruct the routing table from scratch in such scenarios? Ideally, I would like to rebuild the baseline rules for the physical interface (e.g., en0) and then reapply the VPN-specific rules on top. Are there APIs, system utilities, or best practices in macOS for restoring the original routing configuration before reapplying custom VPN routes? Thanks

Hey, We also opened a feedback assistant request, and also opened a ticket with Apple Developer Technical Support a while ago that notice the unmount problem also but it was before we pin point the problem to the Network Extension. After a further investigation, we've found out that the root cause of this problem is cause by having a network filter from the NetworkExtension provider on (Specifically we have tested with the NEFilterDataProvider) while having a Xsan volume. The NEFilterDataProvider causing problems for the Xsan, and is stalling the shutdown until we get a panic from watchdog timeout, and only then the mac is fully shutdown. The problem from what we investigated and also talked with you, is that the Xsan process can't unmount the volume and stuck. We have also noticed that if we install a network extension and allow the popup of the network filters, i.e enabled the NEFilterDataProvider the computer is stuck, and the finder is in a non responsive state until a reboot (Also probably due to the fact the Xsan is now in a problematic state). This tests was done on latest versions of MacOs 13 & 14. We have taken a sysdiagnose from the computer while we have tested. Do you familiar with the problem (We got no answer on the feedback assistant)? Thank you, Idan

I have read all the information and forum posts about local network, such as TN3179, etc., and have added NSLocalNetworkUsageDescription, but it does not solve my problem. The problem I encountered is described as follows: Device: iOS18.1.1 Signing method: automatic Xcode debug directly runs, and the app can access 17.25.11.128 normally. However, relase run or packaged into adhoc installation, this IP cannot be accessed. There is a phenomenon that the app package of the App Store can also be used. Our test team has few iOS18+ devices, and internal testing is not possible. Please contact us as soon as possible, thank you. ======= 我已经了解了所有关于local network 相关的资料和论坛帖子，比如TN3179 等等， 已经添加了 NSLocalNetworkUsageDescription， 但是不解决我的问题。 我遇到的问题描述如下： 设备：iOS18.1.1 签名方式：自动 xcode debug 直接运行，app是可以正常访问17.25.11.128的。 但是 relase run 或者 打包成 adhoc 安装，就无法访问这个IP了。 有一个现象， App Store 的app包 也是可以的。 我们的测试团队，iOS18+的设备就没几个，还不能内部测试了。请尽快联系我们，谢谢。

We found there is a significant crash reports (most of them are from iOS 17, the rest are iOS 16 and 15) comes from network loader from CFNetwork. Apparently it seems there are two types of crashes if we checked from the stack trace, the one we found from both Xcode organizer and 3rd party crash reporter is referring to URLConnectionLoader::loadWithWhatToDo and the other one from our 3rd party crash reporter (didn’t found the report from Xcode organizer) referring to _CFURLResponseCreateFromArchiveList (this one only happened on iOS 17.5 and later devices). It seems that they are both kinda similar which might point to the same root cause. From what I’ve seen, we never touch the lower level API directly, we usually use the URLSession to manage our API request. The crashed stack trace also didn’t give any indication about which of our app code that triggered the crash, it only shows calls to Apple’s internal SDKs so we are unsure how to approach this issue meanwhile the crash event already reached 800+ in the last 30 days. Unfortunately, we cannot reproduce the issue as the stack trace itself seems unclear to us. I have submitted a report through feedback assistant with number: FB14679252. Would appreciate if anyone can give any advice on what we can do to avoid this in the future and probably any hint on why it could happened. Hereby I attached the crash reports that we found each from Xcode crash report and our 3rd party crash reporter (the report said it crashed on com.apple.CFNetwork.LoaderQ) so you could get a glimpse of the similarity. Xcode crash report xcode crash report.crash 3rd party crash report 3rd party crash report.txt

Hi, I am trying to update an old prototype I made for tvOS using DNSServiceBrowse(). The target was tvOS 17. My old build from September 2023 still works fine: It can discover computers on the same local network as the Apple TV (simulator). However, now that I am using Xcode 16, the DNSServiceBrowse() callback (of type DNSServiceBrowseReply) receives the error code: -65570. The call to DNSServiceBrowse() itself returns no error, neither does the following call to DNSServiceProcessResult() — which actually triggers the call of the callback. I found nowhere in the Internet any list of possible error codes received by the callback, so I have no idea what it means. So, my first question is: What does this error code mean? (And is there any list of the possible errors somewehere, with their meaning?) Since it was a prototype, I have no provisioning profile defined for it. Could that be related to the issue? Since I will make a real app out that prototype (targeting tvOS 18), I will have to define a provisioning profile for it. Would a provisioning profile for the app solve the issue? If yes, are there any requirements for that profile that I should take into account to solve the issue? Thank you in advance for any help, Marc

Recently, my application was having trouble connecting socket using TCP protocol after it was reinstalled. The cause of the problem was initially that I did not grant local network permissions when I reinstalled, I was aware of the problem, so socket connect interface worked fine after I granted permissions. However, the next time I repeat the previous operation, I also do not grant local network permissions, and then turn it back on in the Settings, and socket connect interfcae does not work properly (connect interface return errno 65, the system version and code have not changed). Fortunately, socket connect success after rebooting the phone, and more importantly, I was able to repeat the problem many times. So I want to know if the process between when I re-uninstall the app and deny local network permissions, and when I turn it back on in Settings, is that permissions have been granted normally, and not fake, and not required a reboot to reset something for socket coonnect to take effect.

I'm struggling to understand why the async-await version of URLSession download task APIs do not call the delegate functions, whereas the old non-async version that returns a reference to the download task works just fine. Here is my sample code: class DownloadDelegate: NSObject, URLSessionDownloadDelegate { func urlSession(_ session: URLSession, downloadTask: URLSessionDownloadTask, didWriteData bytesWritten: Int64, totalBytesWritten: Int64, totalBytesExpectedToWrite: Int64) { // This only prints the percentage of the download progress. let calculatedProgress = Float(totalBytesWritten) / Float(totalBytesExpectedToWrite) let formatter = NumberFormatter() formatter.numberStyle = .percent print(formatter.string(from: NSNumber(value: calculatedProgress))!) } } // Here's the VC. final class DownloadsViewController: UIViewController { private let url = URL(string: "https://pixabay.com/get/g0b9fa2936ff6a5078ea607398665e8151fc0c10df7db5c093e543314b883755ecd43eda2b7b5178a7e613a35541be6486885fb4a55d0777ba949aedccc807d8c_1280.jpg")! private let delegate = DownloadDelegate() private lazy var session = URLSession(configuration: .default, delegate: delegate, delegateQueue: nil) // for the async-await version private var task: Task&lt;Void, Never&gt;? // for the old version private var downloadTask: URLSessionDownloadTask? override func viewWillAppear(_ animated: Bool) { super.viewWillAppear(animated) task?.cancel() task = nil task = Task { let (_, _) = try! await session.download(for: URLRequest(url: url)) self.task = nil } // If I uncomment this, the progress listener delegate function above is called. // downloadTask?.cancel() // downloadTask = nil // downloadTask = session.downloadTask(with: URLRequest(url: url)) // downloadTask?.resume() } } What am I missing here?

This problem doesn’t appear to relate to the app as everything worked when using http (although an https setup issue may still be the problem). The problem appears to relate to the SSL server certificate on the Ubuntu server and the fact that apple does not accept that it is secure. However I have no problem with the equivalent Android app or web browser connections to the same rest API web services. There are numerous posts on these problems on Apple and other Forums, but none have helped me successfully address the issue. I ran an SSL server test on https://www.ssllabs.com/ssltest/ which gives ratings for SSL sites. The test gave an A rating although a number of minor issues were shown that may be crucial to the iOS failure. Some Sectigo certificates said self signed, which I couldn't understand. Error message from XCode log attached 2025-09-10 10:28:01.725091+0100 locateandclock[2291:1585213] ATS failed system trust 2025-09-10 10:28:01.725192+0100 locateandclock[2291:1585213] Connection 1: system TLS Trust evaluation failed(-9802) 2025-09-10 10:28:01.725291+0100 locateandclock[2291:1585213] Connection 1: TLS Trust encountered error 3:-9802 2025-09-10 10:28:01.725352+0100 locateandclock[2291:1585213] Connection 1: encountered error(3:-9802) 2025-09-10 10:28:01.726727+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) 2025-09-10 10:28:01.736504+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10681be00) s: *.xxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282361650 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281cf4460>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10681be00) s: *.xxxxxxxxxxxxxco.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281cf4460>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

We’ve noticed an issue where after running a network extension, if the phone’s language is changed the Locale.preferredLanguages array is not updated and still returns the old array. It only returns the updated array when the app is reinstalled or the phone is restarted. This is unlike the app itself where using the same Locale.preferredLanguages API immediately returns the updated array. We think this issue is also the cause of notifications that are sent by the network extension being in the previous language as long as the app isn’t reinstalled or the phone is restarted, despite our Localizable file having localised strings for the new language. Feedback ID: FB20086051 The feedback report includes a sample project with steps on how to reproduce the issue.

We have developed a DNS filter based on NEDNSProxyProvider. It works great for a minute, then it stops responding. Our logs indicate that during the outage our extension gets DNS requests and formulates DNS responses that it hands back to the OS, but from outside of our code it is as though our extension is not responding.

I'm writing an LDAP Browser app using SwiftUI. I tested my LDAP code using a command line app that uses the exact same libraries and it successfully connects to my LDAP server over a TLS connection. I did need to install the CA cert into the system keychain. The SwiftUI version, using the exact same code and parameters returns an "Unknown CA" error. It works fine without TLS. Can anyone explain why certificate validation is different for a GUI app?

Description : Our app helps users connect to Wi-Fi hotspots. We are trying to adapt our code to iOS 26 Hotspot Authentication and Hotspot Evaluation application extensions. When filtering hotspots in the filterScanList callback, we need to fetch support information from a remote server to determine which hotspots are supported. However, attempts to use URLSession or NWTCPConnection in the extension always fail. When accessing a URL (e.g., https://www.example.com), the network log shows: Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." When accessing a raw IP address, the log shows: [1: Operation not permitted] Interestingly, NWPathMonitor shows the network path as satisfied, indicating that the network is reachable. Question: Are there any missing permissions or misconfigurations on our side, or are we using the wrong approach? Is there an official recommended way to perform network requests from an NEHotspotEvaluationProvider extension?

Hi, We're in the process of following Apple’s guidance on transitioning away from Packet Filter (pf) and migrating to a Network Extension-based solution that functions as a firewall. During this transition, we've encountered several limitations with the current Content Filter API and wanted to share our findings. Our VPN client relies on firewall functionality to enforce strict adherence to split tunneling rules defined via the routing table. This ensures that no traffic leaks outside the VPN tunnel, which is critical for our users for a variety of reasons. To enforce this, our product currently uses interface-scoped rules to block all non-VPN traffic outside the tunnel. Replicating this behavior with the Content Filter API (NEFilterDataProvider) appears to be infeasible today. The key limitation we've encountered is that the current Content Filter API does not expose information about the network interface associated with a flow. As a workaround, we considered using the flow’s local endpoint IP to infer the interface, but this data is not available until after returning a verdict to peek into the flow’s data—at which point the connection has already been established. This can result in connection metadata leaking outside the tunnel, which may contain sensitive information depending on the connection. What is the recommended approach for this use case? NEFilterPacketProvider? This may work, but it has a negative impact on network performance. Using a Packet Tunnel Provider and purely relying on enforceRoutes? Would this indeed ensure that no traffic can leak by targeting a specific interface or by using a second VPN extension? And more broadly—especially if no such approach is currently feasible with the existing APIs—we're interpreting TN3165 as a signal that pf should be considered deprecated and may not be available in the next major macOS release. Is that a reasonable interpretation?

Hello! 👋 I am noticing new failures in the iOS 18.5 Developer Beta build (22EF5042g) when calling the system call connect() (from C++ source, in network extension). When using cell/mobile data (Mint & T-Mobile) this returns with EINTR (interrupted system call) right away. When I switch over to wifi, everything works fine. Note: I have not tested on other mobile carriers; which could make a difference since T-Mobile/Mint are IPv6 networks. FWIW, this is working in the previous developer beta (18.4). Anyone have any ideas?

I’m developing an app designed for hospital environments, where public internet access may not be available. The app includes two components: the main app and a Local Connectivity Extension. Both rely on persistent TCP socket connections to communicate with a local server. We’re observing a recurring issue where the extension’s socket becomes unresponsive every 1–3 hours, but only when the device is on the lock screen, even if the main app remains in the foreground. When the screen is not locked, the connection is stable and no disconnections occur. ❗ Issue Details: • What’s going on: The extension sends a keep-alive ping packet every second, and the server replies with a pong and a system time packet. • The bug: The server stops receiving keep alive packets from the extension.  • On the server, we detect about 30 second gap on the server, a gap that shows no packets were received by the extension. This was confirmed via server logs and Wireshark).  • On the extension, from our logs there was no gap in sending packets. From it’s perspective, all packets were sent with no error.  • Because no packet are being received by the server, no packets will be sent to the extension. Eventually the server closes the connection due to keep-alive timeout.  • FYI we log when the NEAppPushProvider subclass sleeps and it did NOT go to sleep while we were debugging. 🧾 Example Logs: Extension log: 2025-03-24 18:34:48.808 sendKeepAliveRequest() 2025-03-24 18:34:49.717 sendKeepAliveRequest() 2025-03-24 18:34:50.692 sendKeepAliveRequest() ... // continuous sending of the ping packet to the server, no problems here 2025-03-24 18:35:55.063 sendKeepAliveRequest() 2025-03-24 18:35:55.063 keepAliveTimer IS TIME OUT... in CoreService. // this is triggered because we did not receive any packets from the server Server log: 2025-03-24 18:34:16.298 No keep-alive received for 16 seconds... connection ID=95b3... // this shows that there has been no packets being received by the extension ... 2025-03-24 18:34:30.298 Connection timed out on keep-alive. connection ID=95b3... // eventually closes due to no packets being received 2025-03-24 18:34:30.298 Remote Subsystem Disconnected {name=iPhone|Replica-Ext|...} ✅ Observations: • The extension process continues running and logging keep-alive attempts. • However, network traffic stops reaching the server, and no inbound packets are received by the extension. • It looks like the socket becomes silently suspended or frozen, without being properly closed or throwing an error. ❓Questions: • Do you know why this might happen within a Local Connectivity Extension, especially under foreground conditions and locked ? • Is there any known system behavior that might cause the socket to be suspended or blocked in this way after running for a few hours? Any insights or recommendations would be greatly appreciated. Thank you!

Hi, I'm experiencing intermittent delays with URLSession where requests take 3-4 seconds to be sent, even though the actual server processing is fast. This happens randomly, maybe 10-20% of requests. The pattern I've noticed is I create my request I send off my request using try await urlSession.data(for: request) My middleware ends up receiving this request 4-7s after its been fired from the client-side The round trip ends up taking 4-7s! This hasn't been reproducible consistently at all on my end. I've also tried ephemeral URLSessions (so recreating the session instead of using .shared so no dead connections, but this doesn't seem to help at all) Completely lost on what to do. Please help!