ATS连接 https

HTTPS协议是Http Over SSL，简单来说就是HTTP的安全版本，在HTTP的基础上增加SSL/TLS加密传输协议，通过HTTPS加密传输和身份认证保证了传输过程的安全性。在登录网银和电子邮箱时，你会常常看到地址栏的网址显示HTTPS前缀，从而轻松判断这个网页是否采用了HTTPS加密连接。但是在移动应用上，网络连接的安全性就没有那么透明了，用户很难知道App连接网络时使用的是HTTP还是HTTPS。

ATS就是因此而诞生的，ATS要求服务器必须支持传输层安全（TLS）协议1.2以上版本；证书必须使用SHA256或更高的哈希算法签名；必须使用2048位以上RSA密钥或256位以上ECC算法等等，不满足条件的证书，ATS都会拒绝连接。强制开启ATS体现了苹果一贯的隐私保护态度。

---

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

Requirements for Connecting Using ATS

With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements:

• The X.509 digital server certificate must meet at least one of the following trust requirements:

  • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

  • Issued by a trusted root CA and installed by the user or a system administrator

• The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.

• The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• The leaf server certificate must be signed with one of the following types of keys:

  • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

  • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

  In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

The requirements listed in this section are current as of this document’s publication date, with stricter requirements possible in the future. Changes to these requirements will not break app binary compatibility.

Certificate Transparency

Certificate Transparency employs logging of X.509 certificates, using cryptographic assurance and in a manner that can be publicly audited. This system facilitates identifying certificates that were mistakenly or maliciously issued. App Transport Security lets you configure your app to require Certificate Transparency (CT) for specific, named domains. Before such a domain can connect with your app, it must prove to the system that its X.509 digital certificate is present in at least two CT logs trusted by Apple.

To require Certificate Transparency, set the value of the NSRequiresCertificateTransparency key, within the appropriate domain-name dictionary, to YES. (See the overall structure of the NSAppTransportSecurity dictionary, in ATS Configuration Basics, to see exactly where theNSRequiresCertificateTransparency key should be placed.)

Enabling Certificate Transparency does not eliminate the need for your app to revoke invalid certificates and to refuse connections that employ them. To support certificate checking and revocation, use Online Certificate Status Protocol (OCSP) stapling, specified in RFC6066.

For details on Certificate Transparency, see certificate-transparency.org.

---

AFNetworking 接入https

http://www.jianshu.com/p/20d5fb4cd76d

---

http://www.cocoachina.com/ios/20151021/13722.html

适配 ATS