章节都为本人定义,无抄袭,其中英文部分内容为官方文档摘抄以及自己总结,翻译的不好,敬请指正

App Transport Security(暂且翻译为app传输安全)

What is ATS?

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

ATS为app应用和后台之间的安全连接提供了一个很好地规范,ATS阻止了额外的消息泄露,提供了安全规范的行为,并且很容易采用。同时最早提供在iOS 9 和 OS X v10.11之间的交互中。开发者应该尽快的采用ATS,无论是创建还是更新app。

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file

如果你正在开发一个新的应用,你应该只用HTTPS协议。如果你已经有一个app,你应该现在就尽可能地用HTTPS,并且有计划地尽快改动剩下的部分。另外通过高等级API进行的通信需要用 采用forward secrecy的TLS 1.2进行编码。如果你试着建立一个不符合标准的连接,将会抛出错误。如果你的app需要向一个不可靠的域发送请求,你必须在你的plist文件里指定这个域。

ATS requirements:

All connections using the NSURLConnectionCFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.

所有用到 NSURLConnectionCFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 以后的版本都用ATS的标准行为进行编译. 没有满足ATS要求的连接将会失败。

These are the App Transport Security requirements:

满足ATS需要下列要求:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.     必须是TLS协议1.2之后的版本

  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)   必须是提供forward secrecy的连接加密(查看后面的可通过的加密规则)

  • Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

    Invalid certificates result in a hard failure and no connection.   证书必须是用SHA256或者更好的签名hash算法,可以用一个2048bit key或者 RSA key 或者 ECCkey

These are the accepted ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If your connect not apply to the requirements, you will get the error followed:

如果连接不满足要求,将会报下列错误:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

 

How to set ATS with HTTPS not apply to ATS? (设置不满足要求的HTTPS协议)

<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>api.circletable.com</key>
<dict>
<key>NSIncludesSubdomains</key> <true/>
<key>NSExceptionRequiresForwardSecrecy</key> <false/>
                                <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/>
</dict>
</dict>
</dict>

 

NSIncludesSubdomains设置为YES表示子级域名和父级域名都使用相同设置。

NSExceptionRequiresForwardSecrecy为NO 如果当前HTTPS不支持ForwardSecrecy,屏蔽掉改功能。

NSExceptionAllowInsecureHTTPLoads设置为YES,则表示允许访问没有证书或者是自签名、过期、主机名不匹配的证书引发的错误的域名。

 

 

How and when to disable ATS?(什么时候不使用ATS,怎样取消ATS)

在iOS 9下直接用http请求会收到如下错误

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.

如果需要支持Http,需要在info.plist中添加字段:

<key>NSAppTransportSecurity</key><dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/></dict>

NSAllowsAritraryLoads部分表示禁用ATS

The property keys(可设置的属性)

Keys Type

NSAppTransportSecurity

Dictionary

NSAllowsArbitraryLoads

Boolean

NSExceptionDomains

Dictionary

<domain-name-for-exception-as-string>

Dictionary

NSExceptionMinimumTLSVersion

String

NSExceptionRequiresForwardSecrecy

Boolean

NSExceptionAllowsInsecureHTTPLoads

Boolean

NSIncludesSubdomains

Boolean

NSThirdPartyExceptionMinimumTLSVersion

String

NSThirdPartyExceptionRequiresForwardSecrecy

Boolean

NSThirdPartyExceptionAllowsInsecureHTTPLoads

Boolean

NSAppTransportSecurity

A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app’s Info.plist file.

一个用于重写ATS标准行为的字典,里面包含ATS的设置。在app的plist文件里是顶级设置目录

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behavior for all connections.

一个布尔值,对于任何没有在NSExceptionDomains的字典里添加的域,可以用这个值来禁用ATS。 默认值为NO,表示所有连接都需要采用ATS标准

NSExceptionDomains

A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the exceptions.

存放特殊ATS的字典,每个键值是一个包含特殊域名的字符串

<domain-name-for-exception-as-string>

A dictionary of exceptions for the named domain. The name of the key is the name of the domain–for example, www.apple.com.

存放特殊域的字典,键值是域名

NSExceptionMinimumTLSVersion

A string that specifies a the minimum TLS version for connections. Valid values are:TLS v1.0, TLS v1.1, TLS v1.2.

TLSV1.2 is the default value.

一个为连接最小TLS版本号的字符串。有效的值是TLSv1.0, TLSv1.1, TLSv1.2. 默认的值是TLS v1.2

NSExceptionRequiresForwardSecrecy

A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YES is the default value and limits the ciphers to those shown in Default Behavior.

Setting the value to NO adds the following the list of accepted ciphers:

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA256

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA

NSExceptionAllowsInsecureHTTPLoads

A Boolean value for overriding the requirement that all connections use HTTPS. Use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.

NO is the default value.

NSIncludesSubdomains

A Boolean value for applying the overrides to all subdomains of the top-level domain.

NO is the default value.

NSThirdPartyExceptionMinimumTLSVersion

A version of NSExceptionMinimumTLSVersion used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionRequiresForwardSecrecy

A version of NSExceptionRequiresForwardSecrecy used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionAllowsInsecureHTTPLoads

A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.

Reference

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/

https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html

https://developer.apple.com/library/prerelease/ios/releasenotes/DeveloperTools/RN-Xcode/Chapters/xc7_release_notes.html#//apple_ref/doc/uid/TP40001051-CH5-SW1

关于App Transport Security的更新,中英文对照 --Xcode 7 --iOS9的更多相关文章

  1. iOS App 不支持http协议 App Transport Security has blocked a cleartext HTTP (http://)

    目前iOS已经不支持http协议了,不过可以通过info.plist设置允许 App Transport Security has blocked a cleartext HTTP (http://) ...

  2. App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file

    ios进行http请求,会出现这个问题: App Transport Security has blocked a cleartext HTTP (http://) resource load sin ...

  3. App Transport Security has blocked a cleartext HTTP (http://)

    使用SDWebImage加载“http://”开头的图片报错,错误如下: App Transport Security has blocked a cleartext HTTP (http://) r ...

  4. iOS9中的App Transport Security

    问题:webView加载网页加载不出来 原因:苹果在iOS9 sdk中加入了App Transport Security限制(iOS9以前的iOS sdk默认关闭ATS),默认强制使用https,并且 ...

  5. 网络请求报错:The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

    iOS9引入了新特性App Transport Security (ATS).详情:App Transport Security (ATS) 如果你想设置不阻止任何网络,只需要在info.plist文 ...

  6. IOS开发 App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

    xcode自7后不再使用http,而是使用https请求,但目前很多网络请求还只是以http请求,我们可以这样解决 info.plist->添加@“App Transport Security ...

  7. App Transport Security has blocked a cleartext

    错误描述: App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecu ...

  8. Xcode 7 App Transport Security has blocked a cleartext HTTP 报错解决办法

    Xcode 7 创建新项目用到 UIWebView 发送请求时,报下面的错: “App Transport Security has blocked a cleartext HTTP (http:// ...

  9. iOS9 beta 请求出现App Transport Security has blocked a cleartext HTTP (http://)

    iOS9 beta 请求出现App Transport Security has blocked a cleartext HTTP (http://) http://www.bubuko.com/in ...

随机推荐

  1. linux C 执行多个文件

  2. 2013 Fench Open quart-semifnl press conference

    http://v.youku.com/v_show/id_XNTY3NTAwOTA4.html?firsttime=179 Novak, very  congradutlations,  to rea ...

  3. range与xrange之间的差异(转)

    range 函数说明:range([start,] stop[, step]),根据start与stop指定的范围以及step设定的步长,生成一个序列.range示例: >>> ra ...

  4. ip协议的数据分片备忘

    总结: 不仅tcp协议能对数据段进行分割,ip协议也具备这个功能,之所以会这样是两者都受到底层MTU的限制(虽说tcp是根据MSS限制来分割数据包,由于MTU=tcp包头+ip包头+MSS,所以其实也 ...

  5. 自己编写的.sh脚本文件运行完闪退解决方案

    gnome-terminal设置如下图: 直接原因是,“命令退出时:退出终端”造成的!! 解决方案如下: 1. Ctrl + Alt + F1 ,进入文本操作模式: 2. 登录后,执行:yum ins ...

  6. DOS攻击之详解--转载

    源地址没有找到,间接引用地址:http://wushank.blog.51cto.com/3489095/1156004 DoS到底是什么?接触PC机较早的同志会直接想到微软磁盘操作系统的DOS--D ...

  7. 关于android listview去掉分割线

    1.设置android:divider="@null" 2.android:divider="#00000000" #00000000后面两个零表示透明 3.. ...

  8. Easier Done Than Said?

    Problem Description Password security is a tricky thing. Users prefer simple passwords that are easy ...

  9. Java Properties类

    Properties 是哈希表的一个子类.它是用来维持值列表,其中的键是一个字符串,值也是一个字符串. Properties类被许多其他的Java类使用.例如,它是对象通过System.getProp ...

  10. 基础连接已经关闭: 未能为SSL/TLS 安全通道建立信任关系

    #region private static bool ValidateServerCertificate 解决Error"基础连接已经关闭: 未能为SSL/TLS 安全通道建立信任关系.& ...