Episode #188

App Transport Security

17 minutes
Published on September 24, 2015

This video is only available to subscribers. Get access to this video and 586 others.

In this episode we take a look at App Transport Security, which contains new secure-by-default behavior for NSURLSession, NSURLConnection, or any other CFNetwork-based API. We'll see how to diagnose ATS errors, what the recommended settings are, and how to relax the requirements if needed to allow our network connections to be made.

Episode Links

Useful resources:

  • Qualsys SSL Test - Test your SSL certificates
  • Strong SSL Security on Nginx - a good read if you're using Nginx and want to get a good grade on the SSL test above
  • Cipherli.st - copy-pastable configuration for secure SSL settings on popular web servers. I'd recommend knowing what these settings are doing before blindly applying them to your servers, but a great reference nonetheless.

Further Reading:

Diagnostic utilities

Use curl with the -v flag wi to show verbose output, which will show the protocol and cipher being used:

$ curl -v -I https://www.imdb.com/
Trying 72.21.203.211...
Connected to www.imdb.com (72.21.203.211) port 443 (#0)
TLS 1.0 connection using TLS_RSA_WITH_RC4_128_MD5
Server certificate: www.imdb.com
Server certificate: Symantec Class 3 Secure Server CA - G4
Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5

On OS X El Capitan, you can use nscurl, which provides a useful --ats-diagnostics flag. This will try various ATS exceptions and report which ones work and which ones fail:

$ nscurl --ats-diagnostics https://www.imdb.com/

Add verbose network logging to your application's scheme's environment variables:
CFNETWORK_DIAGNOSTICS: 3

This will print out a path to a file in the console. In this log file, you'll find plenty of detail about each request that is made and if it resulted in error.