Native Apple TLS (iohAppleTLS) is the iOS and macOS TLS transport for sgcWebSockets, with no OpenSSL .dylib to deploy. It auto-selects the best system API for the device, so you get TLS 1.3 on modern systems without changing any code. Enable it by setting TLSOptions.IOHandler to iohAppleTLS.
Apple-native TLS for iOS and macOS, with no OpenSSL .dylib to deploy.
Native Apple TLS lets your iOS and macOS apps use the operating system's own TLS, so there is no OpenSSL .dylib to bundle, version-match or patch. Apple maintains the TLS stack, which keeps your app aligned with the platform's security policy and removes a third-party dependency from your release.
The backend auto-selects the best system API for each device, all behind the single iohAppleTLS setting. On macOS 10.14+ and iOS 12+ it uses Network.framework, which brings TLS 1.3. On older systems it falls back to Secure Transport, which tops out at TLS 1.2. You do not branch on OS version, the backend picks the right path and your code stays the same.
It is a complete TLS client, not a trimmed-down one. It uses the system trust store, performs SNI and hostname verification, and exposes an OnAppleTLSVerifyPeer callback for custom validation. You can trust a private authority with a custom CA root (RootCertFile), present a client certificate for mutual TLS (CertFile + Password), and advertise application protocols such as http/1.1 through ALPN. Choose this backend for App Store apps that want OS-maintained TLS 1.3 and no third-party crypto to manage.
Set TLSOptions.IOHandler to iohAppleTLS, then use the same TLSOptions as any other backend.
WSClient.TLS := True;
WSClient.TLSOptions.IOHandler := iohAppleTLS;
WSClient.TLSOptions.ALPNProtocols.Add('http/1.1');
WSClient.TLSOptions.RootCertFile := ''; // optional custom CA (PEM/DER)
WSClient.TLSOptions.CertFile := ''; // optional client cert (PKCS#12) for mTLS
WSClient.TLSOptions.Password := ''; // client cert password
WSClient.TLSOptions.VerifyCertificate := True;
WSClient.OnAppleTLSVerifyPeer := DoVerifyPeer; // optional custom validation
WSClient.Host := 'your.server.com';
WSClient.Port := 443;
WSClient.Active := True;WSClient->TLS = true;
WSClient->TLSOptions->IOHandler = iohAppleTLS;
WSClient->TLSOptions->ALPNProtocols->Add("http/1.1");
WSClient->TLSOptions->RootCertFile = ""; // optional custom CA (PEM/DER)
WSClient->TLSOptions->CertFile = ""; // optional client cert (PKCS#12) for mTLS
WSClient->TLSOptions->Password = ""; // client cert password
WSClient->TLSOptions->VerifyCertificate = true;
WSClient->OnAppleTLSVerifyPeer = DoVerifyPeer; // optional custom validation
WSClient->Host = "your.server.com";
WSClient->Port = 443;
WSClient->Active = true;The TLS stack ships with the operating system, and the backend chooses the right API per device.
On macOS 10.14+ and iOS 12+ the backend uses Network.framework, which brings TLS 1.3.
On older systems it falls back to Secure Transport (TLS 1.2), automatically and behind the same setting.
It uses the system trust store with SNI and hostname verification, plus OnAppleTLSVerifyPeer for custom checks.
Trust a private CA with RootCertFile, present a client cert with CertFile + Password, and advertise ALPN protocols.
Native Apple TLS (iohAppleTLS) requires the Enterprise edition of sgcWebSockets. See the feature matrix for the full breakdown.