Best way for verifying server compliance to Apple's ATS / TLS 1.2 requirement

谁都会走 提交于 2019-11-30 17:29:37

Basically nscurl --ats-diagnostics <url> just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.

Here's a good article on ATS and checking server compliance, it also contains an nscurl example.

All the methods listed here work, but require some manual labor. The best method I found was testing the server with SSL Labs and comparing the results to Apple's requirements. This seemed like something that could be automated so I created a tool that does just that: https://apptransport.info

If you pass your domain in as a parameter (e.g. https://apptransport.info/craigslist.com) you'll get the following information:

  1. Whether or not your server is ATS compliant
  2. How to fix your server if necessary
  3. How to add ATS exceptions if necessary
  4. The results From SSL Labs

Using nscurl (available in macOS El Capitan and higher), you can use the --ats-tls-version switch to test specifically for TLS 1.2 compliance, e.g.:

nscurl --ats-diagnostics --ats-tls-version TLSv1.2 <url>

This will also test for Perfect Forward Secrecy. If you want to disable testing for PFS, use the --ats-disable-pfs switch.

nscurl --ats-diagnostics --ats-tls-version TLSv1.2 --ats-disable-pfs <url>

Method 1:

If the URL you want to test is publicly accessible, you can use a public SSL testing service such as the one below:

SSL Server Test

After entering the URL, the section titled "Handshake Simulation" lists "Apple ATS 9 / iOS 9" and will indicate if TLS 1.2 was successfully negotiated and which connection cipher suite was used. If the cipher suite used is listed below under the Technical ATS Requirements and TLS 1.2 was successfully negotiated, then the server is properly configured for ATS.

Method 2: (this was mentioned by others as well)

On a Mac running OS X El Capitan, run the following command in Terminal:

/usr/bin/nscurl --ats-diagnostics https://<url>

After running the command, look for the section near the top labeled, ATS Default Connection. A result of PASS indicates the server is properly configured for ATS.

Method 3:

For URLs which are not publicly accessible, use Wireshark to monitor the communication to the URL. You can use a Wireshark filter to display only TLSv1.2 packets with the following:

ssl.record.version == 0x0303

You will see packets that use the TLSv1.2 protocol if the server has been configured for TLS version 1.2. If you only see a Client Hello packet when monitoring requests coming into the URL, then TLSv1.2 was not negotiated between the mobile device and the URL.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!