问题描述

因此Apple要求TLS 1.2具有针对iOS 9开始的URL的前向保密性。独立于应用程序，验证服务器是否满足所有要求的最佳方法是什么？

So Apple requires TLS 1.2 with Forward Secrecy for URLs beginning iOS 9. Independent of the app, what's the best way to verify that a server meets all the requirements?

nscurl直接无效 - 或者我不知道如何使用它。我的输出只是反复说CFNetwork SSLHandshake失败，即使我知道服务器是合规的。

nscurl just outright doesn't work - or I don't know how to use it. My output simply repeatedly says CFNetwork SSLHandshake failed, even though I know the server is compliant.

TLSTool在某种程度上起作用但我不能强制使用前向保密（FS）密码可以使用。

TLSTool works to some extent but I cannot force the Forward Secrecy (FS) ciphers to be used.

openssl可以为客户端模式指定特定的密码，但我的版本没有FS密码。如何升级openssl？

openssl can specify specific cipher for the client mode, but the version I have doesn't have FS ciphers. How do I upgrade openssl?

最好的方法是什么？到目前为止，我不得不使用ssllabs.com的analyze.html。有什么建议吗？

What's the best way? So far I've had to ssllabs.com's analyze.html. Any suggestions?

推荐答案

基本上 nscurl --ats-diagnostics< url> 尝试所有可能的服务器连接变体和每个测试的PASS / FAIL结果响应。您应该找到为您的服务器传递的测试并相应地设置ATS配置。

Basically nscurl --ats-diagnostics <url> just tries all possible variants of connection to server and responses with PASS/FAIL results for each test. You should just find which tests pass for your server and set ATS configuration accordingly.

这里是一篇关于ATS和检查服务器合规性的好文章，它还包含一个nscurl示例。

Here's a good article on ATS and checking server compliance, it also contains an nscurl example.