How can I easily validate that a domain will work with App Transport Security (assuming I don't add any exceptions)?
I know I could build an app that loads it, but I need a way that our network team can test their SSL changes without my involvement.
I've looked at our domains under ssllabs.com's analyzer, but it's not necessarily clear what issues will prevent ATS from working.
You can use the nscurl tool on your development Mac to test any URL against a range of ATS requirements.
Take a le a look at the Cocoa Keys documentation for more details.
ATS imposes a specific set of enhanced security requirements that are described in its docs (the NSAppTransportSecurity section of the Information Property List Key Reference). It’s easy enough to build a tool that checks whether a TLS connection meets these requirements. This sticking point is this:
… I need a way that our network team can test their SSL changes without my involvement.
On what platform are you network team going to run this tool? Deciding that is key to striking a good balance between a faithful test and good automation:
Ideally you’d want this to run on iOS because that will give you the most accurate results. The problem, of course, is that iOS isn’t a great platform for doing automated testing.
The next best thing would be to run this check in the iOS simulator. In my experience the simulator’s TLS and ATS implementations are very close to those found on a real device.
Again, the problem is automation. While the simulator is a better automation platform than iOS itself, it’s still not ideal. Oh, and it requires that your network team have a Mac to run this on, maintain Xcode on that Mac, and so on.
The next best choice would be macOS itself. This is great for automation, but there are TLS problems that show up on the Mac but don’t show up on iOS.
On the Mac you can use
nscurlFinally, running this test on a non-Apple platform is possible but it’s going to be hard to get accurate results. While checking for ATS’s specific requirements is pretty straightforward, there’s a world of other TLS issues that can rear their ugly head here.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Thanks guys -- I didn't know about nscurl --ats-diagnostics. Using that, I can probably set up a little web site for our team to validate domains. It won't be iOS, but hopefully the MacOS version is close enough.
In case anyone else is interested, you can parse the output of "nscurl --ats-diagnostics --verbose" with something like:
/\n---\n(.+?)\nATS Dictionary:\n(.+?)\nResult : (PASS|FAIL)\n(?:Error : )?(.*?)---\n/sIf you haven't already thrown together a web tool for this, you can try out https://apptransport.info to help diagnose the issue. I don't have a spot for feedback at the moment so feel free to replay with any. Just send the domain for your endpoint as a parameter and it will tell you how to make it ATS compliant, like this: https://apptransport.info/www.craigslist.com
Nice! Yours is a lot better-looking than mine.
We have a related question to the testing.
All our nscurl tests comes ok.
HOWEVER
Although a particular domain has a strong and valid SSL cert, if we call that endpoint using HTTP, then we get the following error message showing in xcode:
======================
NSErrorFailingURLStringKey=http://xyz.ourdomain.com/ASWSHeadend/ws/features, NSErrorFailingURLKey=http://xyz.ourdomain.com/ASWSHeadend/ws/features, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}, CLASS: DTVDataRequestManagerASWS_HandlerReceiverFeatures
2017-06-14 10:13:24.470914-0700 DVRScheduler[1935:1123695] DTVDataRequestHandler.m -[DTVDataRequestHandler checkForHTTPError:] [Line 139] RETRY: 3, ERROR: Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x17085f200
=======================
for the domain "ourdomain.com" we have a correctly installed/configured SSL cert YET we get this ATS error message.
We were convinced that:
IF ATS is turned-on and you make an HTTP call to an ednpoint that is NOT in the ATS-Exception list, then the iOS would force that call to go into HTTPS and if you have SSL available for that endpoint then all is good.
Apparently it is not the case, or maybe there is a way to force that behavior by adding some "attributes/dirctives" in the ATS-Exception list?
Can you please help.
Thank you.
We were convinced that: If ATS is turned on and you make an HTTP call to an ednpoint that is NOT in the ATS exception list, then the iOS would force that call to go into HTTPS …
No, that’s not correct. Some early iOS 9 betas did this but it broke a lot of folks so we changed the policy to what it is today: if you make an HTTP request that’s not covered by some ATS exception, the request will fail. That policy has been in place for all shipping versions of ATS.
[Is there] a way to force that behavior by adding some "attributes/dirctives" in the ATS exception list?
No. The best solution here is to change your code to issue an HTTPS request.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"