So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what's the best way to verify that a server meets all the requirements?
nscurl just outright doesn't work - or I don't know how to use it. My output simply repeatedly says CFNetwork SSLHandshake failed, even though I know the server is compliant.
TLSTool works to some extent but I cannot force the Forward Secrecy (FS) ciphers to be used.
openssl can specify specific cipher for the client mode, but the version I have doesn't have FS ciphers. How do I upgrade openssl?
What's the best way? So far I've had to ssllabs.com's analyze.html. Any suggestions?
Basically nscurl --ats-diagnostics <url>
just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.
Here's a good article on ATS and checking server compliance, it also contains an nscurl example.