Afnetwork ATS Network Layer transformation

Recently has been doing project ATS retrofit, during which various problems were encountered, all kinds of pits are recorded,

such as iOS version, afnetwork version, certificate (whether is self-visa book), Domain name verification, TLS version, etc., our project is more complex, also used the domain name to IP Map routing table strategy, in the verification since the visa Book of various configuration host, this need in the article does not repeat, There are similar requirements that can be discussed privately:

Where the description is wrong, welcome to the Great God!

First Ghost pull a little background, do not like please skip the yellow part:)

About ATS, simply said that the app uses the network request must go Https,ios9, this setting is turned on by default, all HTTP requests in the project are directly blocked by the system.

There are, of course, some exceptions that can be used when configuring a third-party domain name in Info.plist, as follows:

• Nsallowsarbitraryloads Setting the app to disable ATS will not be required after January 1, 2017 to disable

• Nsallowsarbitraryloadsinmedia   can use avfoundation to play audio and video without using HTTPS

• Nsallowsarbitraryloadsinwebcontent You can use normal HTTP requests in the built-in browser (Wkwebview, UIWebView)

• nsexceptionallowsinsecurehttploads can set the domain name to use HTTP requests or no certificates, use self-visa books, certificate expiration, certificate mismatch, and so on insecure requests

Li class= "li" >

Nsexceptionminimumtlsversion       You can set the TLS version of some HTTPS service negotiation to be less than 1.2

The specific configuration can refer to the official documentation:

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/ Cocoakeys.html#//apple_ref/doc/uid/tp40009251-sw58

According to Apple's official statement, the certificate, domain name, IP have strict requirements, these in the configuration server certificate should be aware of

such as certificates:

The must digital server certificate meet at least one of the following trust requirements:

• Issued by a Certificate authority (CA) whose root certificate are incorporated into the operating system

• Issued by a trusted root CA and installed by the user or a system administrator

That is, the certificate is either issued by a regular CA authority, the root certificate is integrated in the system, or it is manually installed into the system by the user. And the certificate must be at least using the SHA-256 encryption algorithm.

Second, TLS version must be TLS 1.2

Encryption methods are also required: AES-128 or AES-256, etc.

About the limits of ATS, that's what Apple says:

ATS applies only to host name and does not limit the following:

• IP address (In this regard, the Apple system in iOS9 and 10 performance inconsistent, after enabling ATS, on the iOS10, the use of IP address is not limited, but on the iOS9 will be block)

• Illegal host names (does anyone know what is illegal?) ）

• Local services, such as domain domains

If you use the illegal host name or local service described above, set the NSAllowsLocalNetworking key to YES .

To get to the point, the client afnetwork to fit:

On the network layer, most apps use afnetwork as a dependent library implementation, starting with Afnetwork:

In fact, when the conversion of HTTPS can not be activated ATS, after the transformation of the next turn on the line.

Afnetwork for HTTPS encapsulation certificate, domain name authentication logic, mainly concentrated in Afsecuritypolicy, first from the simplest said,

Regular CA Certificate:

If you are using a CA certificate that is purchased from a formal institution, the configuration is simple:

With the above settings, the HTTPS feature is supported.

With regard to configuration items, Afsecuritypolicy uses the default security policy, does not allow illegal certificates (typically self-visa books), enforces the need to verify domain names,

Of course, these settings are also the default settings, directly omit the following two lines of code can also.

Self-Visa Certificate:

If you use the self-visa book, you need to go to the second package: (Let the user install the certificate to the mobile phone this way, the feasibility is almost 0, unless your app with 123,061 kind of awesome)

First you need to import the certificate CER file into the app, the rest of the work, Afnetwork will help you, it will automatically scan the bundle of CER files, and create a certificate trust Anchor point,

Import files more than a CA certificate, you can

Let's briefly talk about the verification mechanism of afnetwork.

In this regard, I was looking at the Afnetwork source code when there is a question, it in the scan bundle using the [nsbundle bundleforclass: [Self class] ],

Instead of [NSBundle Mainbundle], I encountered in the test process once the former bundle is afnetwork, so I can't read the CER file, so the CER file introduced into the project must not be scanned ... , there are many ways to manually read a CER file when you import it:

 //Create certificate data nsdata*certdata =[nsdata datawithcontentsoffile:[[ NSBundle Mainbundle] Pathforresource:@ "HTTPS" Oftype:@ "CER"] ; Seccertificateref Rootcert = seccertificatecreatewithdata (KCFAllocatorDefault,cfbridgingretain (Certdata)); const void *array[1] = {Rootcert}; certs = cfarraycreate (null, Array, 1, &kcftypearraycallbacks);      

 anyway，无论是AFNetwork自动扫描还是手动导入，最终目的都是验证证书

Afnetwork is also a way to use the system to verify the certificate chain, first add the certificate information returned by the server to the validation policy:

The certificate chain is then validated using a system approach:

The above has passed the certificate verification, followed by the domain name verification,

The above is mainly to verify the certificate and domain name in the app

Afnetwork ATS Network Layer transformation