If you're dealing with App Transport Security (ATS), here's one small snippet from the OS X El Capitan Developer Beta 6 Release Notes that you might have missed (I know I did)...
The
nscurl
tool on OS X El Capitan supports diagnosing ATS secure connections. For example,/usr/bin/nscurl --ats-diagnostics https://www.example.com
will display ATS connection information forwww.example.com
. Run/usr/bin/nscurl -h
for more information.
The nscurl
tool is useful in general, but this option is particularly valuable when debugging ATS issues.
In addition, if you’re trying to work out exactly what TLS parameters your server supports, one good option is to connect to it using TLSTool. For example:
$ TLSTool s_client -connect forums.developer.apple.com:443 * input stream did open * output stream did open * output stream has space * protocol: TLS 1.2 * cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 * trust result: unspecified * certificate info: * 0 rsaEncryption 2048 sha256-with-rsa-signature 'forums.developer.apple.com' * 1 rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 EV SSL CA - G3' * 2 rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5' ^C
As you can see, DevForums meets all the ATS requirements, including:
a TLS version of 1.2 (line 5)
a cypher suite of
ECDHE_RSA_WITH_AES_256_GCM_SHA384
(line 6)a 2048 bit RSA key in its server certificate (line 9)
that certificate protected by a SHA2-256 signature (line 9)
Some hints and tips for using TLSTool
:
If you’re targeting iOS 9, run
TLSTool
on a Mac running OS X 10.11.x on the same network as your iOS device.Alternatively, as
TLSTool
is sample code, simply integrate its source code into a test function within your iOS app.If
TLSTool
fails to connect, try running it with the-noverify
option.If you want to know what certificates are in play, run
TLSTool
with the-showcerts
option.
Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware let myEmail = "eskimo" + "1" + "@apple.com"