发表新帖
发表新帖

Best way for verifying server compliance to Apple's ATS / TLS 1.2 requirement

前端 未结
关注
4 694
隐瞒了意图╮
隐瞒了意图╮ 2021-01-04 00:43

So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what\'s the best way to verify that a server meets all the requirements?

相关标签:
4条回答
  • 旧巷少年郎
    2021-01-04 01:25

    Basically nscurl --ats-diagnostics <url> just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.

    Here's a good article on ATS and checking server compliance, it also contains an nscurl example.

    0 讨论(0)
  • 轮回少年
    2021-01-04 01:29

    Method 1:

    If the URL you want to test is publicly accessible, you can use a public SSL testing service such as the one below:

    SSL Server Test

    After entering the URL, the section titled "Handshake Simulation" lists "Apple ATS 9 / iOS 9" and will indicate if TLS 1.2 was successfully negotiated and which connection cipher suite was used. If the cipher suite used is listed below under the Technical ATS Requirements and TLS 1.2 was successfully negotiated, then the server is properly configured for ATS.

    Method 2: (this was mentioned by others as well)

    On a Mac running OS X El Capitan, run the following command in Terminal:

    /usr/bin/nscurl --ats-diagnostics https://<url>

    After running the command, look for the section near the top labeled, ATS Default Connection. A result of PASS indicates the server is properly configured for ATS.

    Method 3:

    For URLs which are not publicly accessible, use Wireshark to monitor the communication to the URL. You can use a Wireshark filter to display only TLSv1.2 packets with the following:

    ssl.record.version == 0x0303

    You will see packets that use the TLSv1.2 protocol if the server has been configured for TLS version 1.2. If you only see a Client Hello packet when monitoring requests coming into the URL, then TLSv1.2 was not negotiated between the mobile device and the URL.

    0 讨论(0)
  • 一向
    2021-01-04 01:35

    All the methods listed here work, but require some manual labor. The best method I found was testing the server with SSL Labs and comparing the results to Apple's requirements. This seemed like something that could be automated so I created a tool that does just that: https://apptransport.info

    If you pass your domain in as a parameter (e.g. https://apptransport.info/craigslist.com) you'll get the following information:

    1. Whether or not your server is ATS compliant
    2. How to fix your server if necessary
    3. How to add ATS exceptions if necessary
    4. The results From SSL Labs
    0 讨论(0)
  • 花落未央
    2021-01-04 01:35

    Using nscurl (available in macOS El Capitan and higher), you can use the --ats-tls-version switch to test specifically for TLS 1.2 compliance, e.g.:

    nscurl --ats-diagnostics --ats-tls-version TLSv1.2 <url>

    This will also test for Perfect Forward Secrecy. If you want to disable testing for PFS, use the --ats-disable-pfs switch.

    nscurl --ats-diagnostics --ats-tls-version TLSv1.2 --ats-disable-pfs <url>

    0 讨论(0)
 看不清?
提交回复
热议问题