NSURLDelegate: Differences between access by hostname or IP

Alexander von Below Mon, 25 Feb 2019 05:54:03 -0800

Hello Networking List,

The setup:


* We are an ISP, and we provide customers with internet access routers. 

* On these routers there is a Linux Container (lxc) running a service on an 
nginx.

* The DHCP on the router is providing a hostname for the lxc in the local 
network.

* The nginx has a self-signed certificate

The problem:

When we are accessing the service using NSURLSession using the IP of the lxc, 
the NSURLSessionDelegate’s „didReceiveChallenge“ is called as expected, and we 
can perform our own challenge handling. This is the expected behaviour

When we are accessing the service in an identical manner but using the 
_hostname_, the task fails with an error -1200 "An SSL error has occurred and a 
secure connection to the server cannot be made.“ without ever calling the 
delegate.

The Question:

What could possibly be the difference between accessing the service via 
hostname or via ip? What could cause NSURLSession to fail without attempting to 
call the delegate?

Any pointers would be appreciated. Below, I have attached tcpdump output for 
the good and the bad case.

Thanks a lot!

Alex

(Service IP is 192.168.2.111, client IP is 192.168.2.115)

Successful case:

14:16:32.684748 ARP, Request who-has 192.168.2.111 (02:7e:bb:20:57:7c (oui 
Unknown)) tell 192.168.2.115, length 28
14:16:32.684783 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [S], seq 
3334470222, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1030832639 
ecr 0,sackOK,eol], length 0
14:16:32.688710 ARP, Reply 192.168.2.111 is-at 02:7e:bb:20:57:7c (oui Unknown), 
length 54
14:16:32.691371 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [S.], seq 
3115726359, ack 3334470223, win 28960, options [mss 1460,sackOK,TS val 
522728809 ecr 1030832639,nop,wscale 7], length 0
14:16:32.691394 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [.], ack 1, 
win 2058, options [nop,nop,TS val 1030832645 ecr 522728809], length 0
14:16:32.693171 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [P.], seq 
1:245, ack 1, win 2058, options [nop,nop,TS val 1030832646 ecr 522728809], 
length 244
14:16:32.694240 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [.], ack 
245, win 235, options [nop,nop,TS val 522728813 ecr 1030832646], length 0
14:16:32.695656 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [P.], seq 
1:1047, ack 245, win 235, options [nop,nop,TS val 522728815 ecr 1030832646], 
length 1046
14:16:32.695669 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [.], ack 
1047, win 2042, options [nop,nop,TS val 1030832648 ecr 522728815], length 0
14:16:34.033008 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [P.], seq 
245:587, ack 1047, win 2048, options [nop,nop,TS val 1030833978 ecr 522728815], 
length 342
14:16:34.075631 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [.], ack 
587, win 243, options [nop,nop,TS val 522730195 ecr 1030833978], length 0
14:16:34.129836 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [P.], seq 
1047:1122, ack 587, win 243, options [nop,nop,TS val 522730247 ecr 1030833978], 
length 75
14:16:34.129865 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [.], ack 
1122, win 2046, options [nop,nop,TS val 1030834073 ecr 522730247], length 0
14:16:34.134468 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [P.], seq 
587:832, ack 1122, win 2048, options [nop,nop,TS val 1030834077 ecr 522730247], 
length 245
14:16:34.139378 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [.], ack 
832, win 252, options [nop,nop,TS val 522730258 ecr 1030834077], length 0
14:16:34.171367 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [P.], seq 
1122:1559, ack 832, win 252, options [nop,nop,TS val 522730290 ecr 1030834077], 
length 437
14:16:34.171396 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [.], ack 
1559, win 2041, options [nop,nop,TS val 1030834112 ecr 522730290], length 0
14:16:34.173689 IP 192.168.2.115.50777 > 192.168.2.111.https: Flags [P.], seq 
832:1157, ack 1559, win 2048, options [nop,nop,TS val 1030834114 ecr 
522730290], length 325
14:16:34.217168 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [.], ack 
1157, win 260, options [nop,nop,TS val 522730336 ecr 1030834114], length 0
14:16:34.232916 IP 192.168.2.111.https > 192.168.2.115.50777: Flags [P.], seq 
1559:2028, ack 1157, win 260, options [nop,nop,TS val 522730351 ecr 
1030834114], length 469


Failing case:


14:17:25.222760 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [S], seq 
874428209, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1030885006 
ecr 0,sackOK,eol], length 0
14:17:25.226587 IP 192.168.2.111.https > 192.168.2.115.50779: Flags [S.], seq 
3474063986, ack 874428210, win 28960, options [mss 1460,sackOK,TS val 522781343 
ecr 1030885006,nop,wscale 7], length 0
14:17:25.226614 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [.], ack 1, 
win 2058, options [nop,nop,TS val 1030885010 ecr 522781343], length 0
14:17:25.229486 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [P.], seq 
1:224, ack 1, win 2058, options [nop,nop,TS val 1030885012 ecr 522781343], 
length 223
14:17:25.234705 IP 192.168.2.111.https > 192.168.2.115.50779: Flags [.], ack 
224, win 235, options [nop,nop,TS val 522781353 ecr 1030885012], length 0
14:17:25.238843 IP 192.168.2.111.https > 192.168.2.115.50779: Flags [P.], seq 
1:8, ack 224, win 235, options [nop,nop,TS val 522781354 ecr 1030885012], 
length 7
14:17:25.238844 IP 192.168.2.111.https > 192.168.2.115.50779: Flags [F.], seq 
8, ack 224, win 235, options [nop,nop,TS val 522781354 ecr 1030885012], length 0
14:17:25.238862 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [.], ack 8, 
win 2058, options [nop,nop,TS val 1030885021 ecr 522781354], length 0
14:17:25.238871 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [.], ack 9, 
win 2058, options [nop,nop,TS val 1030885021 ecr 522781354], length 0
14:17:25.251025 IP 192.168.2.115.50779 > 192.168.2.111.https: Flags [F.], seq 
224, ack 9, win 2058, options [nop,nop,TS val 1030885033 ecr 522781354], length 0
14:17:25.253075 IP 192.168.2.111.https > 192.168.2.115.50779: Flags [.], ack 
225, win 235, options [nop,nop,TS val 522781371 ecr 1030885033], length 0

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

NSURLDelegate: Differences between access by hostname or IP

Reply via email to