I’m connecting to a local web server during development. If I’m in a regular browser (safari, FireFox, etc) it will give me the option of ignoring the security settings when I first navigate to the login page.
There are posts from 2019 that uses NSURLRequestCertificateFilterMBS to allow connection but that no longer appears to work. And that was Mac only so I need a solution that works on Mac and Windows.
Any thoughts on where to begin?
Use CURLSMBS class. If no certificates are set, the check isn’t performed, so it will succeed for you.
PS: Nice to see you working with Xojo 
I need to use the HTMLViewer if I can. Otherwise this is getting way more tricky.
Never completely stopped but it’s been a whole lot less in the past year and half.
URLConnection has AllowCertificateValidation = false but I don’t think that will help either. I’m not seeing an equivalent property for HTMLViewer.
On Mac, there’s the NSAllowsArbitraryLoads Info.plist key, but I think that’s only for allowing HTTP, not skipping certificate checks.
Maybe you need some entries in info.plist to trust your domain?
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.myurl.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
I have been messing around with a diagnostic tool, mitmproxy, that might be helpful.
The proxy generates it’s own CA certificate and uses it to sign the certificate sent to clients during connect/hello requests. The CA certificate needs to be added to the client store and trusted. After that you can create one line TLS transforms with relative ease.
That’s not the problem though. The issue is that the server is https-only and that it has a self-signed certificate. Probably only for testing, but it still makes testing impossible.
From what I’ve read, this is possible on macOS, although I haven’t found the magic combination of declares or obj-c quite yet.