ATS and HTTPS

Some certificates related to description: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/ Articles/cocoakeys.htmlwith ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. ATS employs the Transport Layer Security (TLS) Protocol version 1.2 (RFC 5246). For background on secure Internet connections, read HTTPS Server Trust Evaluation. Http://www.cocoachina.com/ios/20161207/18308.html

1. Must be a certificate issued by an Apple trusted CA certificate Authority

2. The background Transfer Protocol must meet the following: TLS1.2 (which is important, the following self-made certificate satisfies this condition is the premise)

3. The signature algorithm can only be one of the following:

1234567891011

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

4. Certificates must be signed with SHA256 or a better hashing algorithm, either 2048-bit or longer RSA keys, or 256-bit or longer ECC keys.

There are currently two ways to upgrade to https:

1. Third-party certified issuing CA certificate (recommended)

2. Make your own certificate (this does not know can not meet the Apple audit)

A root certification authority embedded by the operating system is issued by a root certification authority that is actively installed by the operating system administrator or user, and the TLS version must be 1.2, and any connection that does not use or use the lower version of Tls/ssl will fail. The connection must use the AES-128 or AES-256 symmetric encryption algorithm. The TLS algorithm bundle must support forward secrecy in the form of a ECDSA key exchange, and the encryption algorithm must be one of the following: Tls_ecdhe_ecdsa_with_aes_256_gcm_sha384tls_ecdhe_ecdsa_with_aes_128_ Gcm_sha256tls_ecdhe_ecdsa_with_aes_256_cbc_sha384tls_ecdhe_ecdsa_with_aes_256_cbc_shatls_ecdhe_ecdsa_with_aes_ 128_cbc_sha256tls_ecdhe_ecdsa_with_aes_128_cbc_shatls_ecdhe_rsa_with_aes_256_gcm_sha384tls_ecdhe_rsa_with_aes_ 128_gcm_sha256tls_ecdhe_rsa_with_aes_256_cbc_sha384tls_ecdhe_rsa_with_aes_128_cbc_sha256tls_ecdhe_rsa_with_aes _128_cbc_sha the leaf certificate signing key must be one of the following: at least 2048-bit RSA key at least 256-bit ECC key Additionally, the hash algorithm for the server certificate must be SHA-2 and its digest length is at least 256 bits (that is, SHA-256 and above). The above standards may change in the future. It does not affect the compatibility of the app binary package. Thank you!

ATS and HTTPS