Best way for verifying server compliance to Apple's ATS / TLS 1.2 requirement

Question

So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what\'s the best way to verify that a server meets all the requirements?

Answer 1

Method 1:

If the URL you want to test is publicly accessible, you can use a public SSL testing service such as the one below:

SSL Server Test

After entering the URL, the section titled "Handshake Simulation" lists "Apple ATS 9 / iOS 9" and will indicate if TLS 1.2 was successfully negotiated and which connection cipher suite was used. If the cipher suite used is listed below under the Technical ATS Requirements and TLS 1.2 was successfully negotiated, then the server is properly configured for ATS.

Method 2: (this was mentioned by others as well)

On a Mac running OS X El Capitan, run the following command in Terminal:

/usr/bin/nscurl --ats-diagnostics https://

After running the command, look for the section near the top labeled, ATS Default Connection. A result of PASS indicates the server is properly configured for ATS.

Method 3:

For URLs which are not publicly accessible, use Wireshark to monitor the communication to the URL. You can use a Wireshark filter to display only TLSv1.2 packets with the following:

ssl.record.version == 0x0303

You will see packets that use the TLSv1.2 protocol if the server has been configured for TLS version 1.2. If you only see a Client Hello packet when monitoring requests coming into the URL, then TLSv1.2 was not negotiated between the mobile device and the URL.