So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what\'s the best way to verify that a server meets all the requirements?
Basically nscurl --ats-diagnostics <url>
just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.
Here's a good article on ATS and checking server compliance, it also contains an nscurl example.
Method 1:
If the URL you want to test is publicly accessible, you can use a public SSL testing service such as the one below:
SSL Server Test
After entering the URL, the section titled "Handshake Simulation" lists "Apple ATS 9 / iOS 9" and will indicate if TLS 1.2 was successfully negotiated and which connection cipher suite was used. If the cipher suite used is listed below under the Technical ATS Requirements and TLS 1.2 was successfully negotiated, then the server is properly configured for ATS.
Method 2: (this was mentioned by others as well)
On a Mac running OS X El Capitan, run the following command in Terminal:
/usr/bin/nscurl --ats-diagnostics https://<url>
After running the command, look for the section near the top labeled, ATS Default Connection
. A result of PASS
indicates the server is properly configured for ATS.
Method 3:
For URLs which are not publicly accessible, use Wireshark to monitor the communication to the URL. You can use a Wireshark filter to display only TLSv1.2 packets with the following:
ssl.record.version == 0x0303
You will see packets that use the TLSv1.2 protocol if the server has been configured for TLS version 1.2. If you only see a Client Hello packet when monitoring requests coming into the URL, then TLSv1.2 was not negotiated between the mobile device and the URL.
All the methods listed here work, but require some manual labor. The best method I found was testing the server with SSL Labs and comparing the results to Apple's requirements. This seemed like something that could be automated so I created a tool that does just that: https://apptransport.info
If you pass your domain in as a parameter (e.g. https://apptransport.info/craigslist.com) you'll get the following information:
Using nscurl
(available in macOS El Capitan and higher), you can use the --ats-tls-version
switch to test specifically for TLS 1.2 compliance, e.g.:
nscurl --ats-diagnostics --ats-tls-version TLSv1.2 <url>
This will also test for Perfect Forward Secrecy. If you want to disable testing for PFS, use the --ats-disable-pfs
switch.
nscurl --ats-diagnostics --ats-tls-version TLSv1.2 --ats-disable-pfs <url>