Hello everyone. I already posted this question in the cocoa-dev, but was
We write a system-level daemon that runs as root for security monitoring,
maintained by launched.
We use C++ boost asyncio for cross-platform networking (Win/Linux/OS-X). Hence,
on OS-X, can’t use higher-level APIs (such as NSURLSession and friends. Also,
we use proprietary binary protocol to our server, but in certain client site
deployments, we need to pass it through HTTP Proxy. We use the “HTTP Connect”
command to create a secure tunnel through the proxy. This works fine when we
provide proxy configuration of our own.
Now I’m trying to integrate with the OS-X system-configuration proxy settings.
Found the great (if little old) CFProxySupportTool code-sample, read lots of
documentation, and was able to neatly read and support HTTP, HTTPS,
Auto-Configured and PAC based settings.
This breaks when Proxy is authenticated, i.e. you must handshake using username
and password with the proxy.
The credential keys (username and password) received from
CFNetworkCopyProxiesForURL()are normally empty, as they are stored in OS-X’s
secure storage - the KeyChain.
I wrote a simple tool to read the credentials using KeyChain APIs, and found
1. The credentials are stored in the current user’s login keychain. (the user
who set the credentials in the system-preferences network panel).
2. Calling key-chain APIs in test tool triggers a dialog, asking from the user
permission to allow it access to the key-chain. Expected for an App, not so
much for a system-level daemon.
3. When the tool is run as root, it finds nothing - because it doesn’t reach
the user’s Login keychain.
1. How do other system daemons connect to network web servers silently, using
authenticated proxy settings? I never got any dialog for them, asking
permission to read the keychain… Also, what keychain they use? not the System
keychain? and when I set authentication parameters for, say, the admin user -
how do they read it? via some kind of impersonation?
2. How do preinstalled Safari, Mail, Photos, and other apps connect silently
to the web, and avoid triggering the key-chain access permission dialog? They
clearly use proxy settings (including credentials) to go to the internet, and
run under the current user. If such behavior is acceptable - how is it done?
3. All proxy settings seem to be system-wide (actually per network-interface).
Why do the credentials reside in the active user’s Login keychain, instead of
the “System” keychain? Is there at all a way (except for manually editing the
keychains) to set-up proxies for ALL users, including credentials?
4. Could I, at the time of installation of my product, ask once for this
access, and have this “trust” saved for my installed daemon? That will be
acceptable, as IT installs our too on all users machinesl, and have rights for
this. If this is possible - where and how could I do it?
These are lots of questions, but any hint, any direction to docs or sample
code, would be greatly appreciated. I’m spending weeks on this already.
Last… If the wonderful code within NSURLSession and CFNetwork that negotiates
proxies would be exposed via proper APIS - that would be a real blessing. So
many developers (especially in the enterprise arena) need to time and again
reimplement this - and do it in ways much inferior and insecure to the system
But they are useless ---
they can only provide answers!
(Pablo Picasso 1881-1973 about Computers).
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
This email sent to arch...@mail-archive.com