Apple ATS feature Server Certificate Configuration Guide

Source: Internet
Author: User
Tags cipher suite

Configuration guide:

You need to configure an encryption plan that complies with the PFS specification, which is currently recommended:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4

TLS1.2 is required to be enabled in the service-side TLS protocol and is currently the recommended configuration:

TLSv1 TLSv1.1 TLSv1.2

1.Nginx Certificate Configuration

Update the Nginx root directory under the conf/nginx.conf file as follows:

server {ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:!    RC4; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}
2.Apache Certificate Configuration

Update the Apache root directory under the conf/httpd.conf file as follows:

<ifmodule mod_ssl.c> <virtualhost *:443> sslprotocol TLSv1 TLSv1.1 TLSv1.2 sslciphersuite ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4
</VirtualHost></IfModule>
3.Tomcat Certificate Configuration

Update the%tomcat_home%\conf\server.xml file as follows:

<connector port= "443" protocol= "http/1.1" sslenabled= "true" scheme= "https" secure= "true" sslprotocol= "TLSv1+TLSv1 .1+tlsv1.2 "Sslciphersuite=" ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:! null:!anull:! md5:! Adh:! RC4 "/>
4.IIS Certificate Configuration 4.1 method one

Windows 2008 and earlier versions do not support the Tls1_2 protocol so you cannot adjust the 2008R2 tls1_2 protocol is off by default is required to enable this Protocol to meet ATS requirements

In the case of R2, no adjustments have been made to the Protocol and suite after the certificate has been imported.
After the certificate was imported, the kit was detected to support ATS requirements, but the protocol tls1_2 was not enabled and ATS needed tls1_2 support. Available Ssltools Tools (Asia integrity offer, click to download) Enable Tls1_2 protocol

Check the three TLS protocol and restart the system.
If you check that PFS is not supported, select with Ecdhe and dhe in the encryption suite.

4.2 Method Two

Start-run input regedit
Find Hkey_local_machine\system\currentcontrolset\control\securityproviders\schannel\protocols, new--Right-click New TLS 1.1,TLS 1.2
New server for TLS 1.1 and TLS 1.2, new, right-click, Client
Create the following entries (DWORD 32-bit value) in both the new server and client, a total of 4
Disabledbydefault [Value = 0]
Enabled [Value = 1]

Reboot the system after completion

Encryption Suite Tuning
The Group Policy Editor can be used to adjust if the forward secret cipher suite is not supported.
Start Menu--run, enter gpedit.msc for cryptographic suite adjustments you need to open the Tls1_2 protocol before this operation


Double-click SSL cipher Suite Order

Add the supported Ecdhe cipher suites to the SSL cipher suite separated by commas (,)
Open a blank WordPad document.
Copy the list of available packages in the right-hand side and paste them into the document.
Arrange the packages in the correct order, and remove any packages you don't want to use.
Type a comma at the end of each suite name (except for the last suite name). Make sure that no spaces are embedded.
Remove all line breaks so that the cipher suite name is on a separate long line.
Copy the cipher suite line to the Clipboard, and then paste it into the edit box. The maximum length is 1023 characters.

The following packages can be added to the cipher suite
Tls_ecdhe_rsa_with_aes_128_cbc_sha
Tls_ecdhe_rsa_with_aes_256_cbc_sha
tls_ecdhe_rsa_with_aes_128_cbc_sha256
tls_ecdhe_rsa_with_aes_256_cbc_sha384
tls_ecdhe_rsa_with_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_256_gcm_sha384

Report:
Recommended Kit Combinations:
tls_ecdhe_rsa_with_aes_128_cbc_sha_p256
tls_ecdhe_rsa_with_aes_128_cbc_sha_p384
tls_ecdhe_rsa_with_aes_128_cbc_sha_p521
tls_ecdhe_rsa_with_aes_256_cbc_sha_p256
tls_ecdhe_rsa_with_aes_256_cbc_sha_p384
tls_ecdhe_rsa_with_aes_256_cbc_sha_p521
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p384
tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p384
tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521
tls_dhe_rsa_with_aes_256_gcm_sha384
Tls_rsa_with_aes_128_cbc_sha
Tls_rsa_with_aes_256_cbc_sha
Tls_rsa_with_3des_ede_cbc_sha
tls_rsa_with_aes_128_cbc_sha256
tls_rsa_with_aes_256_cbc_sha256
tls_rsa_with_aes_128_gcm_sha256
tls_rsa_with_aes_256_gcm_sha384

Apple ATS feature Server Certificate Configuration Guide

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.