Recently has been doing project ATS retrofit, during which various problems were encountered, all kinds of pits are recorded,
such as iOS version, afnetwork version, certificate (whether is self-visa book), Domain name verification, TLS version, etc., our project is more complex, also used the domain name to IP Map routing table strategy, in the verification since the visa Book of various configuration host, this need in the article does not repeat, There are similar requirements that can be discussed privately:
Where the description is wrong, welcome to the Great God!
First Ghost pull a little background, do not like please skip the yellow part:)
About ATS, simply said that the app uses the network request must go Https,ios9, this setting is turned on by default, all HTTP requests in the project are directly blocked by the system.
There are, of course, some exceptions that can be used when configuring a third-party domain name in Info.plist, as follows:
The specific configuration can refer to the official documentation:
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/ Cocoakeys.html#//apple_ref/doc/uid/tp40009251-sw58
According to Apple's official statement, the certificate, domain name, IP have strict requirements, these in the configuration server certificate should be aware of
such as certificates:
The must digital server certificate meet at least one of the following trust requirements:
That is, the certificate is either issued by a regular CA authority, the root certificate is integrated in the system, or it is manually installed into the system by the user. And the certificate must be at least using the SHA-256 encryption algorithm.
Second, TLS version must be TLS 1.2
Encryption methods are also required: AES-128 or AES-256, etc.
About the limits of ATS, that's what Apple says:
ATS applies only to host name and does not limit the following:
IP address (In this regard, the Apple system in iOS9 and 10 performance inconsistent, after enabling ATS, on the iOS10, the use of IP address is not limited, but on the iOS9 will be block)
Illegal host names (does anyone know what is illegal?) )
Local services, such as domain domains
If you use the illegal host name or local service described above, set the NSAllowsLocalNetworking
key to YES
.
To get to the point, the client afnetwork to fit:
On the network layer, most apps use afnetwork as a dependent library implementation, starting with Afnetwork:
In fact, when the conversion of HTTPS can not be activated ATS, after the transformation of the next turn on the line.
Afnetwork for HTTPS encapsulation certificate, domain name authentication logic, mainly concentrated in Afsecuritypolicy, first from the simplest said,
Regular CA Certificate:
If you are using a CA certificate that is purchased from a formal institution, the configuration is simple:
With the above settings, the HTTPS feature is supported.
With regard to configuration items, Afsecuritypolicy uses the default security policy, does not allow illegal certificates (typically self-visa books), enforces the need to verify domain names,
Of course, these settings are also the default settings, directly omit the following two lines of code can also.
Self-Visa Certificate:
If you use the self-visa book, you need to go to the second package: (Let the user install the certificate to the mobile phone this way, the feasibility is almost 0, unless your app with 123,061 kind of awesome)
First you need to import the certificate CER file into the app, the rest of the work, Afnetwork will help you, it will automatically scan the bundle of CER files, and create a certificate trust Anchor point,
Import files more than a CA certificate, you can
Let's briefly talk about the verification mechanism of afnetwork.
In this regard, I was looking at the Afnetwork source code when there is a question, it in the scan bundle using the [nsbundle bundleforclass: [Self class] ],
Instead of [NSBundle Mainbundle], I encountered in the test process once the former bundle is afnetwork, so I can't read the CER file, so the CER file introduced into the project must not be scanned ... , there are many ways to manually read a CER file when you import it:
//Create certificate data nsdata*certdata =[nsdata datawithcontentsoffile:[[ NSBundle Mainbundle] Pathforresource:@ "HTTPS" Oftype:@ "CER"] ; Seccertificateref Rootcert = seccertificatecreatewithdata (KCFAllocatorDefault,cfbridgingretain (Certdata)); const void *array[1] = {Rootcert}; certs = cfarraycreate (null, Array, 1, &kcftypearraycallbacks);
anyway,无论是AFNetwork自动扫描还是手动导入,最终目的都是验证证书
Afnetwork is also a way to use the system to verify the certificate chain, first add the certificate information returned by the server to the validation policy:
The certificate chain is then validated using a system approach:
The above has passed the certificate verification, followed by the domain name verification,
The above is mainly to verify the certificate and domain name in the app
Afnetwork ATS Network Layer transformation