Using nscurl to diagnose NSurl TLS errors

Using the nscurl tool to diagnose ATS Connection Issues
In OS X v10.11 and later, you can use the /usr/bin/nscurl tool to help diagnose connection issues due to App Transport Security.

The --ats-diagnostics option tries to connect with the specified URL using different combinations of values for the NSAllowsArbitraryLoads, NSExceptionMinimumTLSVersion, NSExceptionRequiresForwardSecrecy, and NSExceptionAllowsInsecureHTTPLoads keys shown in Table 3 (Apple iOS Docs). A summary of the results is printed to the command line.

The format for the command is:

/usr/bin/nscurl --ats-diagnostics [--verbose] URL
  • URL. The URL for the host. This is required.
  • verbose. Specifying this option includes more information for each connection attempt including the keys and associated values used.

I used this recently to figure out issues with my Camlistore instance. I had a combination of setting up my SSL incorrectly, issues with code configuration, and Camlistore’s server not apparently using TLS.

All is figured out now though.