ATS连接 https

时间:2022-12-18 22:13:56

HTTPS协议是Http Over SSL,简单来说就是HTTP的安全版本,在HTTP的基础上增加SSL/TLS加密传输协议,通过HTTPS加密传输和身份认证保证了传输过程的安全性。在登录网银和电子邮箱时,你会常常看到地址栏的网址显示HTTPS前缀,从而轻松判断这个网页是否采用了HTTPS加密连接。但是在移动应用上,网络连接的安全性就没有那么透明了,用户很难知道App连接网络时使用的是HTTP还是HTTPS。

ATS就是因此而诞生的,ATS要求服务器必须支持传输层安全(TLS)协议1.2以上版本;证书必须使用SHA256或更高的哈希算法签名;必须使用2048位以上RSA密钥或256位以上ECC算法等等,不满足条件的证书,ATS都会拒绝连接。强制开启ATS体现了苹果一贯的隐私保护态度。

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

Requirements for Connecting Using ATS

With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements:

  • The X.509 digital server certificate must meet at least one of the following trust requirements:

    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

    • Issued by a trusted root CA and installed by the user or a system administrator

  • The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.

  • The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • The leaf server certificate must be signed with one of the following types of keys:

    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

    In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

The requirements listed in this section are current as of this document’s publication date, with stricter requirements possible in the future. Changes to these requirements will not break app binary compatibility.

Certificate Transparency

Certificate Transparency employs logging of X.509 certificates, using cryptographic assurance and in a manner that can be publicly audited. This system facilitates identifying certificates that were mistakenly or maliciously issued. App Transport Security lets you configure your app to require Certificate Transparency (CT) for specific, named domains. Before such a domain can connect with your app, it must prove to the system that its X.509 digital certificate is present in at least two CT logs trusted by Apple.

To require Certificate Transparency, set the value of the NSRequiresCertificateTransparency key, within the appropriate domain-name dictionary, to YES. (See the overall structure of the NSAppTransportSecurity dictionary, in ATS Configuration Basics, to see exactly where theNSRequiresCertificateTransparency key should be placed.)

Enabling Certificate Transparency does not eliminate the need for your app to revoke invalid certificates and to refuse connections that employ them. To support certificate checking and revocation, use Online Certificate Status Protocol (OCSP) stapling, specified in RFC6066.

For details on Certificate Transparency, see certificate-transparency.org.

AFNetworking 接入https

http://www.jianshu.com/p/20d5fb4cd76d

http://www.cocoachina.com/ios/20151021/13722.html

适配 ATS

ATS连接 https的更多相关文章

  1. 记Outlook插件与Web页面交互的各种坑 (含c# HttpWebRequest 连接https 的完美解决方法)

    1) 方案一,  使用Web Service  基础功能没问题, 只是在连接https (ssh) 网站时, 需要针对https进行开发 (即http 和https 生成两套接口, 不太容易统一 ). ...

  2. php soap连接https的wsdl报错SOAP-ERROR: Parsing WSDL:Couldn't load from

    转发:https://blog.csdn.net/keyunq/article/details/51804728 SOAP-ERROR: Parsing WSDL:Couldn’t load from ...

  3. ats 与 https

    一些证书相关的描述:   https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKe ...

  4. IDEA搭建本地服务器解决无法连接https://start.spring.io

    通过IntellJ IDEA创建Spring Boot项目时,发生以下的问题.如图: 报错: 也许你搜到的都是诸如此类的回答: 在学习springboot的时候,使用IDEA的快速新建springbo ...

  5. 设置mysql5.7远程连接-----------https://blog.csdn.net/qiyueqinglian/article/details/52778230

    https://blog.csdn.net/qiyueqinglian/article/details/52778230 设置mysql5.7远程连接

  6. IDEA2018创建SpringBoot无法连接https://start.spring.io

    这是由于spring-boot需要访问https://start.spring.io外网,但是由于国内的局域网限制导致的. 解决办法: 进入到IDEA的setting 搜索 HTTP Proxy 选择 ...

  7. npm publish 发布失败 无法连接 https://registry.npmjs.org

    自己写的npm包,之前每次更新都是正常发布,最近做个一个更新,想发布,然后npm publish 竟然失败, 错误提示如下: npm ERR! network request to https://r ...

  8. openssl 连接 https(nginx)

    参考源码路径  demos\ssl #include <stdio.h> #include <string.h> #include <stdlib.h> #incl ...

  9. java连接https时禁用证书验证&period;

    import java.io.File; import java.security.cert.CertificateException; import java.util.List; import j ...

随机推荐

  1. &lpar;转&rpar; JAVA中如何设置图片(图标)自适应Jlable等组件的大小

    一.问题: 一个程序,组件上设置某个图片作为图标,因为的label(应该说是组件)已经设定了固定大小, 所以再打开一些大图片时,超过组件大小的部分没显示出来,而小图片又没填充完整个组件 二.解决这个问 ...

  2. Devexpress Gantt 应用

    甘特图属于甘特系列浏览次数(也称为时间或时间轴图表).此视图显示横条沿时间轴.每个条形代表一个单独的事件的开始和结束的值, 因此,这些图是用来跟踪各种活动的时间范围内(例如计划,利用各种资源,审查该项 ...

  3. VS 报cmath&lpar;19&rpar;&colon; error C2061&colon; 语法错误&colon; 标识符&ldquo&semi;acosf&rdquo&semi; 错误

    这是因为我在.c文件中用了 #include <iostream> using namespace std; 这样编译的时候就报: 出现错误类型如下:1>c:\program fil ...

  4. SlideAndDragListView,一个可排序可滑动item的ListView

    SlideAndDragListView简介 SlideAndDragListView,可排序.可滑动item显示"菜单"的ListView. SlideAndDragListVi ...

  5. 网页地图map

    <map name="map"> <area shape="rect" coords="75,75,99,99" nohr ...

  6. CSS之弧形阴影

    简述 网页上经常会出现一些弧形的阴影效果,看起来很漂亮,下面我们来讲述下如何用CSS来实现一个弧形阴影. 简述 阴影 效果 注释 标题 效果 源码 合并 效果 源码 阴影 效果 首先实现一个简单的阴影 ...

  7. C语言--返回局部变量的地址

    我们可能会经常写出这样的代码: int  add(int  a , int  b) { return  a + b; } 当然,这是合理的写法,使函数的返回值为 int ,所以,调用函数后会返回一个i ...

  8. mysql之6备份恢复

    基本意义: 将数据另存到其他设备,以便于出现问题时恢复数据     为什么要备份: 灾难恢复:需求改变:测试     几个事先需要考虑的问题: 可以容忍丢失多长时间的数据?恢复要在多长时间内完成?是否 ...

  9. LSTM主要思想和网络结构

    在你阅读这篇文章时候,你都是基于自己已经拥有的对先前所见词的理解来推断当前词的真实含义.我们不会将所有的东西都全部丢弃,然后用空白的大脑进行思考.我们的思想拥有持久性. 相关信息和当前预测位置之间的间 ...

  10. GDB基础学习

    GDB基础学习 要调试C/C++程序,首先在编译时,我们必须要把调试信息加到可执行文件中.使用编译器(cc/gcc/g++)的-g参数可以做到这一点,比如: gcc -g test.c -o test ...

相关文章