MASTG-TEST-0066: Testing the TLS Settings

Deprecated Test

This test is deprecated and should not be used anymore. Reason: New version available in MASTG V2

Please check the following MASTG v2 tests that cover this v1 test:

• References to Weak ATS TLS Policy Exceptions in Info.plist
• URLSession TLS Protocol Configuration
• Network.framework TLS Protocol Configuration
• Embedded or Third-party TLS Stack Configuration
• Insecure TLS Protocols in Network Traffic

Overview

Remember to inspect the corresponding justifications to discard that it might be part of the app intended purpose.

It is possible to verify which ATS settings can be used when communicating to a certain endpoint. On macOS the command line utility nscurl can be used. A permutation of different settings will be executed and verified against the specified endpoint. If the default ATS secure connection test is passing, ATS can be used in its default secure configuration. If there are any fails in the nscurl output, please change the server side configuration of TLS to make the server side more secure, rather than weakening the configuration in ATS on the client. See the article "Identifying the Source of Blocked Connections" in the Apple Developer Documentation for more details.

Refer to section "Verifying the TLS Settings" in chapter Testing Network Communication for details.