When creating a new iOS/macOS application App Transport Security (ATS) is enabled by default. The default configuration enforces a minimum TLS version of TLS 1.2. If a developer wants to harden this configuration by enforcing TLS 1.3 connections, this is currently not possible.
Assume that example.com supports TLS 1.3.
When trying to enforce TLS 1.3 for example.com via ATS configuration or setting the minimum supported TLS protocol programmatically, all connections to example.com will fail.
For applications only TLS 1.2 connections will be established, unless the maximum supported TLS protocol is set to .tlsProtocol13 or .tlsProtocolMaxSupported.
Command line applications on macOS behave differently. There is no ATS and TLS 1.3 connections will be established by default. TLS 1.3 can also not be enforced for them.
Description
When creating a new iOS/macOS application App Transport Security (ATS) is enabled by default. The default configuration enforces a minimum TLS version of TLS 1.2. If a developer wants to harden this configuration by enforcing TLS 1.3 connections, this is currently not possible.
Assume that example.com supports TLS 1.3.
When trying to enforce TLS 1.3 for example.com via ATS configuration or setting the minimum supported TLS protocol programmatically, all connections to example.com will fail.
For applications only TLS 1.2 connections will be established, unless the maximum supported TLS protocol is set to
.tlsProtocol13or.tlsProtocolMaxSupported.Command line applications on macOS behave differently. There is no ATS and TLS 1.3 connections will be established by default. TLS 1.3 can also not be enforced for them.
See details and proof-of-concept code at https://gist.github.com/blochberger/8e98f768502283dccb245f7ca81a79f8
- Product Version: macOS 10.14.5, iOS 12.3 Created: 2019-05-17T09:45:30.673740 Originated: 2019-05-17T00:00:00 Open Radar Link: http://www.openradar.me/50887327