章節都為本人定義�,無抄襲,其中英文部分內容為官方文檔摘抄以及自己總結�����,翻譯的不好,敬請指正
App Transport Security(暫且翻譯為app傳輸安全)
What is ATS�����?
App Transport Security (ATS) enforces best PRactices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
ATS為app應用和后臺之間的安全連接提供了一個很好地規范����,ATS阻止了額外的消息泄露,提供了安全規范的行為����,并且很容易采用。同時最早提供在iOS 9 和 OS X v10.11之間的交互中���。開發者應該盡快的采用ATS�,無論是創建還是更新app�。
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file
如果你正在開發一個新的應用,你應該只用HTTPS協議����。如果你已經有一個app,你應該現在就盡可能地用HTTPS����,并且有計劃地盡快改動剩下的部分。另外通過高等級API進行的通信需要用 采用forward secrecy的TLS 1.2進行編碼���。如果你試著建立一個不符合標準的連接����,將會拋出錯誤����。如果你的app需要向一個不可靠的域發送請求,你必須在你的plist文件里指定這個域����。
ATS requirements:
All connections using the NSURLConnection, CFURL, or NSURLsession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.
所有用到 NSURLConnection, CFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 以后的版本都用ATS的標準行為進行編譯. 沒有滿足ATS要求的連接將會失敗�。
These are the App Transport Security requirements:
滿足ATS需要下列要求:
The server must support at least Transport Layer Security (TLS) protocol version 1.2. 必須是TLS協議1.2之后的版本
Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.) 必須是提供forward secrecy的連接加密(查看后面的可通過的加密規則)
Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
Invalid certificates result in a hard failure and no connection. 證書必須是用SHA256或者更好的簽名hash算法����,可以用一個2048bit key或者 RSA key 或者 ECCkey
These are the accepted ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
If your connect not apply to the requirements, you will get the error followed:
如果連接不滿足要求���,將會報下列錯誤:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
How to set ATS with HTTPS not apply to ATS? (設置不滿足要求的HTTPS協議)
<key>NSAPPTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>api.circletable.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSExceptionRequiresForwardSecrecy</key> <false/> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
NSIncludesSubdomains設置為YES表示子級域名和父級域名都使用相同設置�。
NSExceptionRequiresForwardSecrecy為NO 如果當前HTTPS不支持ForwardSecrecy���,屏蔽掉改功能����。
NSExceptionAllowInsecureHTTPLoads設置為YES,則表示允許訪問沒有證書或者是自簽名����、過期��、主機名不匹配的證書引發的錯誤的域名����。
How and when to disable ATS���?(什么時候不使用ATS���,怎樣取消ATS)
在iOS 9下直接用http請求會收到如下錯誤
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.
如果需要支持Http���,需要在info.plist中添加字段:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true/></dict>
NSAllowsAritraryLoads部分表示禁用ATS
The property keys(可設置的屬性)
| Keys | Type |
NSAppTransportSecurity
| Dictionary |
NSAllowsArbitraryLoads | Boolean |
NSExceptionDomains | Dictionary |
<domain-name-for-exception-as-string> | Dictionary |
NSExceptionMinimumTLSVersion | String |
NSExceptionRequiresForwardSecrecy | Boolean |
NSExceptionAllowsInsecureHTTPLoads | Boolean |
NSIncludesSubdomains | Boolean |
NSThirdPartyExceptionMinimumTLSVersion | String |
NSThirdPartyExceptionRequiresForwardSecrecy | Boolean |
NSThirdPartyExceptionAllowsInsecureHTTPLoads | Boolean |
NSAppTransportSecurity
A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app’s Info.plist file.
一個用于重寫ATS標準行為的字典,里面包含ATS的設置���。在app的plist文件里是頂級設置目錄
NSAllowsArbitraryLoads
A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behavior for all connections.
一個布爾值���,對于任何沒有在NSExceptionDomains的字典里添加的域,可以用這個值來禁用ATS�。 默認值為NO,表示所有連接都需要采用ATS標準
NSExceptionDomains
A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the exceptions.
存放特殊ATS的字典����,每個鍵值是一個包含特殊域名的字符串
<domain-name-for-exception-as-string>
A dictionary of exceptions for the named domain. The name of the key is the name of the domain–for example, www.apple.com.
存放特殊域的字典,鍵值是域名
NSExceptionMinimumTLSVersion
A string that specifies a the minimum TLS version for connections. Valid values are:TLS v1.0, TLS v1.1, TLS v1.2.
TLSV1.2 is the default value.
一個為連接最小TLS版本號的字符串�。有效的值是TLSv1.0, TLSv1.1, TLSv1.2. 默認的值是TLS v1.2
NSExceptionRequiresForwardSecrecy
A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.
YES is the default value and limits the ciphers to those shown in Default Behavior.
Setting the value to NO adds the following the list of accepted ciphers:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
NSExceptionAllowsInsecureHTTPLoads
A Boolean value for overriding the requirement that all connections use HTTPS. Use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.
NO is the default value.
NSIncludesSubdomains
A Boolean value for applying the overrides to all subdomains of the top-level domain.
NO is the default value.
NSThirdPartyExceptionMinimumTLSVersion
A version of NSExceptionMinimumTLSVersion used when the domain is an app service that is not controlled by the developer.
NSThirdPartyExceptionRequiresForwardSecrecy
A version of NSExceptionRequiresForwardSecrecy used when the domain is an app service that is not controlled by the developer.
NSThirdPartyExceptionAllowsInsecureHTTPLoads
A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.
Reference
