11146 Views 0 Replies
      Latest reply on Oct 29, 2015 2:51 AM by eskimo
      eskimo Apple Staff Apple Staff (9,685 points)
      eskimo Oct 29, 2015 2:51 AM

        If you're dealing with App Transport Security (ATS), here's one small snippet from the OS X El Capitan Developer Beta 6 Release Notes that you might have missed (I know I did)...

        The nscurl tool on OS X El Capitan supports diagnosing ATS secure connections. For example, /usr/bin/nscurl --ats-diagnostics https://www.example.com will display ATS connection information for www.example.com. Run /usr/bin/nscurl -h for more information.

        The nscurl tool is useful in general, but this option is particularly valuable when debugging ATS issues.

        In addition, if you’re trying to work out exactly what TLS parameters your server supports, one good option is to connect to it using TLSTool.  For example:

        $ TLSTool s_client -connect forums.developer.apple.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384
* trust result: unspecified
* certificate info:
*   0 rsaEncryption 2048 sha256-with-rsa-signature 'forums.developer.apple.com'
*   1 rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 EV SSL CA - G3'
*   2 rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

        As you can see, DevForums meets all the ATS requirements, including:

        • a TLS version of 1.2 (line 5)

        • a cypher suite of ECDHE_RSA_WITH_AES_256_GCM_SHA384 (line 6)

        • a 2048 bit RSA key in its server certificate (line 9)

        • that certificate protected by a SHA2-256 signature (line 9)

        Some hints and tips for using TLSTool:

        • If you’re targeting iOS 9, run TLSTool on a Mac running OS X 10.11.x on the same network as your iOS device.

        • Alternatively, as TLSTool is sample code, simply integrate its source code into a test function within your iOS app.

        • If TLSTool fails to connect, try running it with the -noverify option.

        • If you want to know what certificates are in play, run TLSTool with the -showcerts option.

        Share and Enjoy

        Quinn "The Eskimo!"
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"