In this episode we take a look at App Transport Security, which contains new secure-by-default behavior for NSURLSession, NSURLConnection, or any other CFNetwork-based API. We'll see how to diagnose ATS errors, what the recommended settings are, and how to relax the requirements if needed to allow our network connections to be made.
Episode Links Source Code App Transport Security Tech Note CFNetwork Error Codes Reference SecureTransport.h error codes Useful resources: Qualsys SSL Test - Test your SSL certificates Strong SSL Security on Nginx - a good read if you're using Nginx and want to get a good grade on the SSL test above Cipherli.st - copy-pastable configuration for secure SSL settings on popular web servers. I'd recommend knowing what these settings are doing before blindly applying them to your servers, but a great reference nonetheless. Further Reading: Shipping an App with App Transport Security - Tim Ekl Working with Apple's Application Transport Security - Nick Arnott Diagnostic utilities Use curl with the -v flag wi to show verbose output, which will show the protocol and cipher being used: $ curl -v -I https://www.imdb.com/ Trying 72.21.203.211... Connected to www.imdb.com (72.21.203.211) port 443 (#0) TLS 1.0 connection using TLS_RSA_WITH_RC4_128_MD5 Server certificate: www.imdb.com Server certificate: Symantec Class 3 Secure Server CA - G4 Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5 On OS X El Capitan, you can use nscurl, which provides a useful --ats-diagnostics flag. This will try various ATS exceptions and report which ones work and which ones fail: $ nscurl --ats-diagnostics https://www.imdb.com/ Add verbose network logging to your application's scheme's environment variables: CFNETWORK_DIAGNOSTICS: 3 This will print out a path to a file in the console. In this log file, you'll find plenty of detail about each request that is made and if it resulted in error.