App Transport Security Tip

This thread has been locked by a moderator.

If you're dealing with App Transport Security (ATS), here's one small snippet from the OS X El Capitan Developer Beta 6 Release Notes that you might have missed (I know I did)...


tool on OS X El Capitan supports diagnosing ATS secure connections. For example,
/usr/bin/nscurl --ats-diagnostics
will display ATS connection information for
. Run
/usr/bin/nscurl -h
for more information.


tool is useful in general, but this option is particularly valuable when debugging ATS issues.

In addition, if you’re trying to work out exactly what TLS parameters your server supports, one good option is to connect to it using TLSTool. For example:

$ TLSTool s_client -connect
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.2
* cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384
* trust result: unspecified
* certificate info:
*   0 rsaEncryption 2048 sha256-with-rsa-signature ''
*   1 rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 EV SSL CA - G3'
*   2 rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'

As you can see, DevForums meets all the ATS requirements, including:

  • a TLS version of 1.2 (line 5)

  • a cypher suite of

    (line 6)
  • a 2048 bit RSA key in its server certificate (line 9)

  • that certificate protected by a SHA2-256 signature (line 9)

Some hints and tips for using

  • If you’re targeting iOS 9, run

    on a Mac running OS X 10.11.x on the same network as your iOS device.
  • Alternatively, as

    is sample code, simply integrate its source code into a test function within your iOS app.
  • If

    fails to connect, try running it with the
  • If you want to know what certificates are in play, run

    with the

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""
Up vote post of eskimo