diff --git a/src/certificates/macos.rs b/src/certificates/macos.rs
index bb5c67e4..717b88cc 100644
--- a/src/certificates/macos.rs
+++ b/src/certificates/macos.rs
@@ -2,8 +2,7 @@ use anyhow::{anyhow, Result};
 use security_framework::{
     certificate::SecCertificate,
     item::{
-        add_item, AddRef, ItemAddOptions, ItemAddValue, ItemClass, ItemSearchOptions, Reference,
-        SearchResult,
+        AddRef, ItemAddOptions, ItemAddValue, ItemClass, ItemSearchOptions, Reference, SearchResult,
     },
 };
 use tokio::process::Command;
@@ -11,9 +10,8 @@ use tokio::process::Command;
 pub fn add_cert(der: Vec<u8>, path: &str) -> Result<()> {
     let cert = SecCertificate::from_der(&der)?;
     let add_ref = AddRef::Certificate(cert);
-    let add_option = ItemAddOptions::new(ItemAddValue::Ref(add_ref))
-        .set_label("mitmproxy")
-        .to_dictionary();
+    let mut add_option = ItemAddOptions::new(ItemAddValue::Ref(add_ref));
+    add_option.set_label("mitmproxy");
 
     let search_result = ItemSearchOptions::new()
         .class(ItemClass::certificate())
@@ -26,7 +24,7 @@ pub fn add_cert(der: Vec<u8>, path: &str) -> Result<()> {
         cert.delete()?;
     }
 
-    add_item(add_option)?;
+    add_option.add()?;
 
     Command::new("open")
         .arg(path)
diff --git a/src/packet_sources/macos.rs b/src/packet_sources/macos.rs
index 286fb582..725f1b81 100644
--- a/src/packet_sources/macos.rs
+++ b/src/packet_sources/macos.rs
@@ -200,10 +200,16 @@ impl ConnectionTask {
         match new_flow {
             NewFlow {
                 message: Some(ipc::new_flow::Message::Tcp(tcp_flow)),
-            } => self.handle_tcp(tcp_flow).await,
+            } => self
+                .handle_tcp(tcp_flow)
+                .await
+                .context("failed to handle TCP stream"),
             NewFlow {
                 message: Some(ipc::new_flow::Message::Udp(udp_flow)),
-            } => self.handle_udp(udp_flow).await,
+            } => self
+                .handle_udp(udp_flow)
+                .await
+                .context("failed to handle UDP stream"),
             _ => bail!("Received invalid IPC message: {:?}", new_flow),
         }
     }
@@ -228,7 +234,8 @@ impl ConnectionTask {
             let Some(addr) = &flow.local_address else {
                 bail!("no local address")
             };
-            SocketAddr::try_from(addr)?
+            SocketAddr::try_from(addr)
+                .with_context(|| format!("invalid local_address: {:?}", addr))?
         };
         let mut remote_address = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0);
         let (command_tx, mut command_rx) = unbounded_channel();
@@ -246,7 +253,7 @@ impl ConnectionTask {
                     ).context("invalid IPC message")?;
                     let dst_addr = {
                         let Some(dst_addr) = &packet.remote_address else { bail!("no remote addr") };
-                        SocketAddr::try_from(dst_addr).context("invalid socket address")?
+                        SocketAddr::try_from(dst_addr).with_context(|| format!("invalid remote_address: {:?}", dst_addr))?
                     };
 
                     // We can only send ConnectionEstablished once we know the destination address.