Authorization Plugins do not allow connections (ssl-tls error) - SFAuthorizationPluginView

Question

Created Sep ’23

Replies 2

Boosts 0

Participants 4

Our authorization plugin implements a custom window using SFAuthorizationPluginView and needs to make web connections to do validations. We have not been able to get it to work using the native MacOS system APIs, such as NSURLSession or NSURLConnection when loaded from the lock screen.

The same connection code works both in an independent executable, in a login plugin, and in the authentication plugin itself when it loads us from the elevate system privileges window.

If we use libcurl it works correctly in all points, but we need to use the system APIs because we use third-party components that use them.

The error it provides is "NSURLErrorDomain Code=-1202"

MoreErrorInfo.log

Analyzing the traces of the process that is responsible for loading our "SecurityAgentHelper" plugin, we have seen that the handshake of the certificates is not completed (logs attached).

SecurityAgentHelper.logs

We have verified that the problem extends from Catalina to Monterey.

How can we solve the problem? Is it necessary to do something special?

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’23

I think this is a known bug (r. 59800722). It’s not specific to SFAuthorizationPluginView; rather, it affects any authorisation plug-in running in the screen saver (system.login.screensaver) context. The workaround is to move these network operations to a daemon, and then have your authorisation plug-in request that the perform these network operations on its behalf (typically using XPC).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

peter_at_trusona OP

Oct ’23

I faced the same issue and was able to get around it by running the network request as root from a Privilege Helper daemon.

1