URLConnection different behavior in Desktop and Console

General
1

Hi to all! I have a behavior I need to understand, please help me

I have an API server with a valid ssl certificate and users can connect to it using https:// fqdn / page

When I connect my computer to the private local network where the server is located (physically or by vpn) I have different behavior of URLConnection, based on if the app is Desktop or Console
This is the code (simplest example) in an empty new project, 2025r3:

Var HTTPSocket1 As New URLConnection
Var result As String
Var fqdn As String
Var webpage As String
Var remote_url As String

fqdn = "api.server.com" //not the real string
webpage = "/test/api01" //not the real string

remote_url = "https://" + fqdn + webpage

Try
  
  HTTPSocket1.AllowCertificateValidation = False
  result = HTTPSocket1.SendSync("GET", remote_url, 5)
  
Catch err1 As NetworkException
  
  result = err1.Message
  
End Try

I cannot understand why the Console application, running from my computer, can get a result string, but a Desktop application, running from the same computer, stops with error -1200 “An SSL error has occurred and a secure connection to the server cannot be made.“
Could someone explain me this or point me in the right direction?
Thanks

2

Is this macOS? In recent macOS, apps need permission to access the local network (System Settings / Privacy & Security / Local Network).

Perhaps the console app doesn’t require this (maybe it’s inheriting the permissions for the Terminal app, and you already granted it?) – whereas the desktop app does not have the permission granted.

If not macOS, then I have no idea.

1 Like
3

Yes, MacOS, but still in the IDE
Give me a minute to compile both, apply permission, and try

4

Compiled with my Apple Developer ID, set all permission I found in System Settings → Privacy, but nothing changed

In System Settings → Privacy → Developer Tools (sorry, I’m not sure about translation because I use a different language) Terminal is present, with no check. So I tried to add also my test app, checked or not, but no changes

5

See Sequoia - new security entitlement(s)

6

That doesn’t really matter. It seems to be about whether the connection is initiated automatically at launch. (Last time I was researching this was when it first started happening to me after upgrading to Sequoia. It was a bunch of Mac devs figuring it out since Apple didn’t say anything.)

7

I just tried a test similar to yours : a Desktop app and a Console app, both trying to load a website from a local IP address (inside my LAN).

The DesktopApp puts up the “allow” dialog:

image
image508×464 26.1 KB

But even if I allow it, the network exception has already happened:

image
image720×148 27.1 KB

Console App
The console app, however, runs fine the first time:

image
image1450×142 49.1 KB

So it does seem like Console apps are somehow “blessed” in a way that Desktop apps are not?

8

I’m not really sure to understand, but it seems to me opposite situation
In Console application, the connection is in the Run event, so immediate, and it works
In Desktop application, it is in the Push event of a button, and it doesn’t work

9

Just to be clear, I do not access by ip, i use fqdn

10

This seems to me and I do not understand why

11

Right, but DNS always returns an IP address, and I believe macOS knows if the IP address is within a Private network - Wikipedia range.

This also may depend how your router and DNS function - some routers can do something called Hairpin NAT: Network address translation - Wikipedia

The difference is whether your DNS returns the WAN or LAN IP addresses.

However, my test seems to suggest this is NOT the problem. The issue is that Console and Desktop apps are behaving differently.

12

I think that a console app run from the Xojo IDE will inherit the Xojo IDE permissions.

I also think that macOS Local Network settings are buggy - here’s what mine looks like - notice how the OS seems confused about various versions of Xojo:

image
image938×598 57.3 KB

13

This would be new behavior for the “Automatic local connection denied on first attempt” problem, which could mean it actually is not that problem.

14

The network where the server lives is a little more complicated, there is also an internal dns that rewrites some ip from external to internal
SSL server certificate is attached to external public ip, so if I use it with internal ip is normal that I have an error. This is why i need to set:

HTTPSocket1.AllowCertificateValidation = False

If problem is in the network, dns, certificate, or something else, why Console app can and Desktop app cannot?
If I understand why, maybe I can fix it. At the moment, I can only set up a workaround

15

Your desktop app should be triggering this dialog:

image
image476×444 25.5 KB

Note: this will only happen one time. If you clicked ‘Don’t allow’ it would be silently blocked.

If you are not seeing the dialog, re-build your desktop app after changing the Bundle Identifier:

image
image588×280 14.9 KB

This may trick the OS into thinking it’s a new app, and ask you for permissions again.

1 Like
16

I’ll try, thanks