HTTPS协议是Http Over SSL,简单来说就是HTTP的安全版本,在HTTP的基础上增加SSL/TLS加密传输协议,通过HTTPS加密传输和身份认证保证了传输过程的安全性。在登录网银和电子邮箱时,你会常常看到地址栏的网址显示HTTPS前缀,从而轻松判断这个网页是否采用了HTTPS加密连接。但是在移动应用上,网络连接的安全性就没有那么透明了,用户很难知道App连接网络时使用的是HTTP还是HTTPS。

ATS就是因此而诞生的,ATS要求服务器必须支持传输层安全(TLS)协议1.2以上版本;证书必须使用SHA256或更高的哈希算法签名;必须使用2048位以上RSA密钥或256位以上ECC算法等等,不满足条件的证书,ATS都会拒绝连接。强制开启ATS体现了苹果一贯的隐私保护态度。

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

Requirements for Connecting Using ATS

With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements:

  • The X.509 digital server certificate must meet at least one of the following trust requirements:

    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

    • Issued by a trusted root CA and installed by the user or a system administrator

  • The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.

  • The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • The leaf server certificate must be signed with one of the following types of keys:

    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

    In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

The requirements listed in this section are current as of this document’s publication date, with stricter requirements possible in the future. Changes to these requirements will not break app binary compatibility.

Certificate Transparency

Certificate Transparency employs logging of X.509 certificates, using cryptographic assurance and in a manner that can be publicly audited. This system facilitates identifying certificates that were mistakenly or maliciously issued. App Transport Security lets you configure your app to require Certificate Transparency (CT) for specific, named domains. Before such a domain can connect with your app, it must prove to the system that its X.509 digital certificate is present in at least two CT logs trusted by Apple.

To require Certificate Transparency, set the value of the NSRequiresCertificateTransparency key, within the appropriate domain-name dictionary, to YES. (See the overall structure of the NSAppTransportSecurity dictionary, in ATS Configuration Basics, to see exactly where theNSRequiresCertificateTransparency key should be placed.)

Enabling Certificate Transparency does not eliminate the need for your app to revoke invalid certificates and to refuse connections that employ them. To support certificate checking and revocation, use Online Certificate Status Protocol (OCSP) stapling, specified in RFC6066.

For details on Certificate Transparency, see certificate-transparency.org.

AFNetworking 接入https

http://www.jianshu.com/p/20d5fb4cd76d

http://www.cocoachina.com/ios/20151021/13722.html

适配 ATS

最新文章

  1. 1Z0-053 争议题目解析
  2. java 数据库连接池
  3. MapReduce二次排序
  4. [2015hdu多校联赛补题]hdu5348 MZL's endless loop
  5. Apache-Shiro+Zookeeper系统集群安全解决方案之缓存管理
  6. 详解强大的SQL注入工具——SQLMAP
  7. 学习微信小程序之css17clearfix原理
  8. oc语言--protocol(协议)
  9. 命令行运行命令时报错You don't have write permissions for the /Library/***
  10. 解决150%DPI下Photoshop不能显示成合适大小的问题
  11. C/C++中容器vector用法
  12. 利用jmap和MAT等工具查看JVM运行时堆内存
  13. Java并发包1--线程的状态及常用方法
  14. Django--QuerySet--基础查询
  15. English trip V1 - 12.Belongings 行李 Teacher:Jade Key: ?
  16. 不安装Oracle数据库使用plsqldevloper
  17. Atitit 切入一个领域的方法总结 attilax这里,机器学习为例子
  18. memcached stats 命令
  19. 天梯赛 大区赛 L3-014.周游世界 (Dijkstra)
  20. C#中相关结构的用法及用途

热门文章

  1. sortedArrayUsingComparator
  2. Ubuntu 卸载 VMware
  3. Ecshop的购物流程代码分析详细说明
  4. Yii源码阅读笔记(十四)
  5. Ruby--Array
  6. 解决ORA-00054资源正忙的问题
  7. Delphi 如何操作外部程序的控件(如按钮,文本框,单选按钮等)
  8. PHP5 mysqli 教程
  9. comms.nottingham.ac.uk/learningtechnology
  10. Nginx+Django+Uwsgi+php