Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apple Transport Security Diagnostics on Amazon S3
You can test ATS diagnositcs in Mac OS X El Capitan by running:
nscurl --ats-diagnostics -v https://s3.amazonaws.com
Here is the log:
================================================================================
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://s3.amazonaws.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe15b804f40 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159f297c0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f104a0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f14100 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe15bb00e30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe15b804f40 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159f297c0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f104a0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f14100 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for s3.amazonaws.com
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159fba7d0 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159fb98e0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9c20 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9f60 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe15ba00fe0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159fba7d0 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159fb98e0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9c20 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9f60 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159d27e20 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159d26ff0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d26570 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d27530 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe159c0e4f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159d27e20 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159d26ff0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d26570 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d27530 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159e175d0 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159e15420 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e15660 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e158a0 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe159f516f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159e175d0 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159e15420 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e15660 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e158a0 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
================================================================================
Configuring PFS exceptions for s3.amazonaws.com
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159d26440 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for s3.amazonaws.com
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe15b81d350 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring TLS exceptions with PFS disabled for s3.amazonaws.com
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e16060 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e17380 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159f99b40 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for s3.amazonaws.com
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159d34240 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e1c470 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e20360 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
@yothomas

This comment has been minimized.

Copy link

yothomas commented Oct 6, 2015

I get slightly more useful results by running:
nscurl --ats-diagnostics -v https://aws.amazon.com

At least some of the tests pass that.

At the end of the day even the settings that suggests aren't enough though. I have to add in an additional NSIncludesSubdomains = true in order to cover all the url requests AWS makes.

@opanco

This comment has been minimized.

Copy link

opanco commented Feb 19, 2018

@yothomas though it's 3 years later, would you mind sharing the additional NSincludesSubdomains=true that you made to harden the connection to AWS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.