章节都为本人定义,无抄袭,其中英文部分内容为官方文档摘抄以及自己总结,翻译的不好,敬请指正App Transport Security(暂且翻译为app传输安全)What is ATS?App Transport Security (ATS) enforces best prac ...
章节都为本人定义,无抄袭,其中英文部分内容为官方文档摘抄以及自己总结,翻译的不好,敬请指正
App Transport Security(暂且翻译为app传输安全)
What is ATS?
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
ATS为app应用和后台之间的安全连接提供了一个很好地规范,ATS阻止了额外的消息泄露,提供了安全规范的行为,并且很容易采用。同时最早提供在iOS 9 和 OS X v10.11之间的交互中。开发者应该尽快的采用ATS,无论是创建还是更新app。
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file
如果你正在开发一个新的应用,你应该只用HTTPS协议。如果你已经有一个app,你应该现在就尽可能地用HTTPS,并且有计划地尽快改动剩下的部分。另外通过高等级API进行的通信需要用 采用forward secrecy的TLS 1.2进行编码。如果你试着建立一个不符合标准的连接,将会抛出错误。如果你的app需要向一个不可靠的域发送请求,你必须在你的plist文件里指定这个域。
ATS requirements:
All connections using the NSURLConnection, CFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail.
所有用到 NSURLConnection, CFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 以后的版本都用ATS的标准行为进行编译. 没有满足ATS要求的连接将会失败。
These are the App Transport Security requirements:
满足ATS需要下列要求:
The server must support at least Transport Layer Security (TLS) protocol version 1.2. 必须是TLS协议1.2之后的版本
Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.) 必须是提供forward secrecy的连接加密(查看后面的可通过的加密规则)
Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.
Invalid certificates result in a hard failure and no connection. 证书必须是用SHA256或者更好的签名hash算法,可以用一个2048bit key或者 RSA key 或者 ECCkey
These are the accepted ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
If your connect not apply to the requirements, you will get the error followed:
如果连接不满足要求,将会报下列错误:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
How to set ATS with HTTPS not apply to ATS? (设置不满足要求的HTTPS协议)
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>api.circletable.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSExceptionRequiresForwardSecrecy</key> <false/> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
NSIncludesSubdomains设置为YES表示子级域名和父级域名都使用相同设置。
NSExceptionRequiresForwardSecrecy为NO 如果当前HTTPS不支持ForwardSecrecy,屏蔽掉改功能。
NSExceptionAllowInsecureHTTPLoads设置为YES,则表示允许访问没有证书或者是自签名、过期、主机名不匹配的证书引发的错误的域名。
How and when to disable ATS?(什么时候不使用ATS,怎样取消ATS)
在iOS 9下直接用http请求会收到如下错误
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.
如果需要支持Http,需要在info.plist中添加字段:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true/></dict>
NSAllowsAritraryLoads部分表示禁用ATS
The property keys(可设置的属性)
| Keys | Type |
NSAppTransportSecurity
| Dictionary |
NSAllowsArbitraryLoads | Boolean |
NSExceptionDomains | Dictionary |
<domain-name-for-exception-as-string> | Dictionary |
NSExceptionMinimumTLSVersion | String |
NSExceptionRequiresForwardSecrecy | Boolean |
NSExceptionAllowsInsecureHTTPLoads | Boolean |
NSIncludesSubdomains | Boolean |
NSThirdPartyExceptionMinimumTLSVersion | String |
NSThirdPartyExceptionRequiresForwardSecrecy | Boolean |
NSThirdPartyExceptionAllowsInsecureHTTPLoads | Boolean |
海外公司注册、海外银行开户、跨境平台代入驻、VAT、EPR等知识和在线办理:https://www.xlkjsw.com
原标题:关于App Transport Security的更新,中英文对照
关键词:
*特别声明:以上内容来自于网络收集,著作权属原作者所有,如有侵权,请联系我们:
admin#shaoqun.com
(#换成@)。
