Best way for verifying server compliance to Apple's ATS / TLS 1.2 requirement

Hampden123 picture Hampden123 · Dec 23, 2015 · Viewed 13.1k times · Source

So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what's the best way to verify that a server meets all the requirements?

nscurl just outright doesn't work - or I don't know how to use it. My output simply repeatedly says CFNetwork SSLHandshake failed, even though I know the server is compliant.

TLSTool works to some extent but I cannot force the Forward Secrecy (FS) ciphers to be used.

openssl can specify specific cipher for the client mode, but the version I have doesn't have FS ciphers. How do I upgrade openssl?

What's the best way? So far I've had to ssllabs.com's analyze.html. Any suggestions?

Answer

Alex Skalozub picture Alex Skalozub · Dec 24, 2015

Basically nscurl --ats-diagnostics <url> just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.

Here's a good article on ATS and checking server compliance, it also contains an nscurl example.