Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apple Transport Security Diagnostics on Amazon S3
You can test ATS diagnositcs in Mac OS X El Capitan by running:
nscurl --ats-diagnostics -v https://s3.amazonaws.com
Here is the log:
================================================================================
Starting ATS Diagnostics
Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://s3.amazonaws.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================
Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe15b804f40 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159f297c0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f104a0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f14100 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe15bb00e30 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe15b804f40 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159f297c0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f104a0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159f14100 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
================================================================================
Allowing Arbitrary Loads
---
Allow All Loads
ATS Dictionary:
{
NSAllowsArbitraryLoads = true;
}
Result : PASS
---
================================================================================
Configuring TLS exceptions for s3.amazonaws.com
---
TLSv1.2
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159fba7d0 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159fb98e0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9c20 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9f60 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe15ba00fe0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159fba7d0 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159fb98e0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9c20 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159fb9f60 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
---
TLSv1.1
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159d27e20 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159d26ff0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d26570 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d27530 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe159c0e4f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159d27e20 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159d26ff0 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d26570 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159d27530 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
---
TLSv1.0
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrust 0x7fe159e175d0 [0x7fff7507e890]>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
"<SecCertificate 0x7fe159e15420 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e15660 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e158a0 [0x7fff7507e890]>"
), NSUnderlyingError=0x7fe159f516f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fe159e175d0 [0x7fff7507e890]>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<SecCertificate 0x7fe159e15420 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e15660 [0x7fff7507e890]>",
"<SecCertificate 0x7fe159e158a0 [0x7fff7507e890]>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://s3.amazonaws.com/, NSErrorFailingURLStringKey=https://s3.amazonaws.com/, NSErrorClientCertificateStateKey=0}
---
================================================================================
Configuring PFS exceptions for s3.amazonaws.com
---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159d26440 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring PFS exceptions and allowing insecure HTTP for s3.amazonaws.com
---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe15b81d350 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring TLS exceptions with PFS disabled for s3.amazonaws.com
---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e16060 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e17380 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159f99b40 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for s3.amazonaws.com
---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159d34240 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.1";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e1c470 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
NSExceptionDomains = {
"s3.amazonaws.com" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.0";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fe159e20360 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://aws.amazon.com/s3/, NSErrorFailingURLKey=http://aws.amazon.com/s3/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---
================================================================================
@yothomas

This comment has been minimized.

yothomas commented Oct 6, 2015

I get slightly more useful results by running:
nscurl --ats-diagnostics -v https://aws.amazon.com

At least some of the tests pass that.

At the end of the day even the settings that suggests aren't enough though. I have to add in an additional NSIncludesSubdomains = true in order to cover all the url requests AWS makes.

@opanco

This comment has been minimized.

opanco commented Feb 19, 2018

@yothomas though it's 3 years later, would you mind sharing the additional NSincludesSubdomains=true that you made to harden the connection to AWS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment