1

I know that nscurl is coming on MacOS since El Captain, but I am wondering if there is a way to get similar results using PowerShell.

This answer shows how to get the certificate, but it isn't equivalent to running:

nscurl --ats-diagnostics https://google.com:443

on a macOS. Is there anything like that on the Windows side?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
DeMarco
  • 31
  • 1
  • 6
  • It might help to explain what 'nscurl ats-diagnostics' actually does so people unfamiliar with that tool don't have to go look it up. – Ryan Bolger Oct 05 '17 at 19:00

1 Answers1

1

I do not know about a PowerShell equivalent, but the following could help nevertheless, either to do the same thing manually or for someone to build the appropriate PowerShell script.

From the name and what I read, nscurl is a wrapper around curl that just makes sure that the server conforms to Apple requirements which are TLS 1.2 and PFS in summary

curl --verbose already gives you things like SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 so you need to display that properly and then test values against Apple full specification.

Apple full requirements (https://www.apple.com/business/docs/iOS_Security_Guide.pdf) are in fact:

  • cipher selection to include only suites that provide forward secrecy, specifically ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode and RSA_AES could be added if forward secrecy is disabled on some domain
  • Servers must support TLS v1.2 and forward secrecy
  • certificates must be valid and signed using SHA-256 or better with a minimum 2048-bit RSA key or 256-bit elliptic curve key

So all of this is basically given by curl --verbose or even openssl s_client.

In fact, reading https://forums.developer.apple.com/thread/14816 you discover there is another tool provided called TLSTool that can help, and based on its API it is clearly a wrapper around openssl.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42