There appears to be a bug (rdar://50887327) in macOS and iOS that prevents to harden the App Transport Security (ATS) configuration to restrict connections to TLS 1.3. This script can be used to test the behavior with specific configurations.
This issue is resolved with macOS 11 (Big Sur). Validated with macOS 11.0.1 (20B50).
For
- macOS < 10.15
- iOS < 13.0
To secure your connections with the latest security standards, increase the maximum supported TLS version manually:
let configuration = URLSessionConfiguration.ephemeral
configuration.tlsMaximumSupportedProtocol = .tlsProtocolMaxSupported // <- IMPORTANT
let session = URLSession(configuration: configuration)
When creating a new macOS or iOS application without specifying any ATS settings, TLS 1.3 connections will not be established unless the maximum supported TLS version is increased. However, TLS 1.3 cannot be enforced.
With macOS 10.15 Beta and iOS 13.0 Beta, the default ATS setting is still TLSv1.2
. However, the maximum supported TLS version was increased to TLSv1.3
, hence the advised work-around is no longer required and the enum
is marked as deprecated.
Tested on
- macOS 10.14.4
- macOS 10.14.5
- macOS 10.15 Beta (19A487m)
- macOS 10.15 Beta (19A512f)
- iOS 12.2
- iOS 12.3
- iOS 13.0 Beta (Simulator)
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: nil)
// -> TLS 1.2
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: .tlsProtocol13)
// -> TLS 1.3
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: .tlsProtocolMaxSupported)
// -> TLS 1.3
check(minimumSupportedTlsProtocol: .tlsProtocol13, maximumSupportedTlsProtocol: .tlsProtocolMaxSupported)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
When creating a new macOS or iOS application and enforce TLS 1.3 in ATS, no connections can be established.
Tested on
- macOS 10.14.4
- macOS 10.14.5
- macOS 10.15 Beta (19A487m)
- macOS 10.15 Beta (19A512f)
- iOS 12.2
- iOS 12.3
- iOS 13.0 Beta (Simulator)
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: nil)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: .tlsProtocol13)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: .tlsProtocolMaxSupported)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
check(minimumSupportedTlsProtocol: .tlsProtocol13, maximumSupportedTlsProtocol: .tlsProtocolMaxSupported)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
When using the macOS command line, you can execute the file by calling:
swift check_tls13.swift
In contrast to ATS-enabled applications, when using the command line TLS 1.3 connections will be established by default.
Tested on
- macOS 10.14.5
- macOS 10.15 Beta (19A487m)
- macOS 10.15 Beta (19A512f)
check(minimumSupportedTlsProtocol: nil, maximumSupportedTlsProtocol: nil, exitOnError: true)
// -> TLS 1.3
check(minimumSupportedTlsProtocol: .tlsProtocol13, maximumSupportedTlsProtocol: nil, exitOnError: true)
// -> An SSL error has occurred and a secure connection to the server cannot be made.
I tried to use this to get my app running on iOS 12.5 to be able to access by NGINX server which is configured with:
But it still didn't work. I still get boring SSL errors.