Update on app Transport security, chinese-english control--xcode 7--ios9

<span id="Label3"></p>Chapters are defined for me, no plagiarism, in which the English part of the official document excerpt and their summary, translation is not good, please correct the app Transport security (for The moment, the app is safe to transfer) what is ATS?<p><p>App Transport Security (ATS) enforces best practices in the secure connections between a app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; It is also on by default in IOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you ' re creating a new app or updating an existing ONE.</p></p><p><p>ATS provides a good specification for secure connections between app applications and the backend, and ATS prevents additional message leaks, provides security-prescriptive behavior, and is easy to use. It also provides the earliest interaction between iOS 9 and OS X v10.11. Developers should use ATS as soon as possible, whether it's creating or updating Apps.</p></p><p><p>If you ' re developing a new app, you should use HTTPS exclusively. If you had an existing app, you should use HTTPS as much as can right now, and create a plan for migrating the rest O F your app as soon as Possible. In addition, your communication through higher-level APIs needs to BES encrypted using TLS version 1.2 with forward secrecy . If you try to make a connection that doesn ' t follow this requirement, an error is Thrown. If your app needs to make a request to a insecure domain and you have to specify this domain in your app ' s <code>Info.plist</code> file</p></p><p><p>If you are developing a new application, you should only use the HTTPS Protocol. If you already have an app, you should use HTTPS as much as you can now and plan to change the rest as quickly as Possible. additionally, communication through the high-level API needs to be encoded with TLS 1.2 with forward Secrecy. If you try to establish a non-compliant connection, you will throw an Error. If your app needs to send a request to an unreliable domain, you must specify the domain in your plist file.</p></p>ATS requirements:<p><p>All connections using <code class="code-voice">NSURLConnection</code> the-the, <code class="code-voice">CFURL</code> or <code class="code-voice">NSURLSession</code> APIs use App Transport Security default behavior in apps built for IOS 9. 0 or later, and OS X 10.11 or Later. Connections that does not follow the requirements would fail.</p></p><p><p>All used <code class="code-voice">NSURLConnection</code> , <code class="code-voice">CFURL 或者</code> <code class="code-voice">NSURLSession</code> APIs are compiled with ATS standard behavior after iOS9.0 or OS X 10.00. connections that do not meet ATS requirements will Fail.</p></p><p><p>These is the App Transport Security requirements:</p></p><p><p>The following requirements are required to meet ats:</p></p> <ul class="list-bullet"> <ul class="list-bullet"> <li class="item"><p class="para">The server must support at least Transport Layer Security (TLS) Protocol version 1.2. Must be a version after TLS protocol 1.2</p></li> <li class="item"><p class="para">Connection ciphers is limited to those this provide forward secrecy (see the list of ciphers Below.) Must be a connection encryption that provides forward secrecy (see the following encryption rules that can be passed)</p></li> <li class="item"><p class="para">Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a greater bit or elliptic-curve (ECC) key.</p><p class="para">Invalid certificates result in a hard failure and no Connection. The certificate must be a SHA256 or better signed hash algorithm that can be used with a 2048bit key or RSA key or Ecckey</p></li> </ul> </ul><p><p>These is the accepted ciphers:</p></p> <ul> <ul> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</code></p></li> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</code></p></li> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</code></p></li> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</code></p></li> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</code></p></li> <li><p><code>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</code></p></li> <li><p><code>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code></p></li> <li><p><code>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</code></p></li> <li><p><code>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</code></p></li> <li><p><code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</code></p></li> <li><p><code>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</code></p></li> </ul> </ul><p><p>If your connect not apply to the requirements, you'll get the error followed:</p></p><p><p>If the connection does not meet the requirements, the following error will be reported:</p></p><p><p><strong>Nsurlsession/nsurlconnection HTTP load Failed (kcfstreamerrordomainssl,-9802)</strong></p></p><p><p><strong></strong></p></p>How to set ATS with HTTPS not apply to ATS? (set HTTPS protocol that does not meet the Requirements)<pre><pre><key>NSAppTransportSecurity</key><dict><key>NSExceptionDomains</key><dict> <key>api.circletable.com</key><dict><key>NSIncludesSubdomains</key> <true /><key>nsexceptionrequiresforwardsecrecy</key> <false/> <key> ; Nsexceptionallowsinsecurehttploads</key> <true/></dict></dict></dict></pre></pre><p><p><strong></strong></p></p><p><p><strong>Nsincludessubdomains set to Yes indicates that both the child domain name and the parent domain name use the same settings.</strong></p></p><p><p><strong>Nsexceptionrequiresforwardsecrecy for No if the current HTTPS does not support forwardsecrecy, mask off the change Function.</strong></p></p><p><p><strong>Nsexceptionallowinsecurehttploads is set to Yes to allow access to the domain name that is thrown by certificates that do not have certificates or that are self-signed, expired, and host names that do not Match.</strong></p></p><p><p><strong></strong></p></p><p><p><strong></strong></p></p>How and when to disable ATS? (when not to use ats, how to cancel Ats)<p><p>Using HTTP requests directly under iOS 9 will receive the following error</p></p><p><p><strong>APP Transport Security has blocked a cleartext HTTP (/http) resource load since it is Insecure. Temporary exceptions can be configured via your app ' s info.plist file.</strong></p></p><p><p>If you need to support http, you need to add a field in Info.plist:</p></p><pre><pre><key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <true /></dict></pre></pre><p><p>Nsallowsaritraryloads section indicates that ATS is disabled</p></p><p><p></p></p>The property keys (properties that can be Set)<p><p></p></p> <table class="confluenceTable"> <tbody> <tr> <td class="confluenceTd" colspan="1"><strong>Keys</strong></td> <td class="confluenceTd" colspan="1"><strong>Type</strong></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSAppTransportSecurity</code></p></td> <td class="confluenceTd"><p class="para">Dictionary</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSAllowsArbitraryLoads</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSExceptionDomains</code></p></td> <td class="confluenceTd"><p class="para">Dictionary</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice"><domain-name-for-exception-as-string></code></p></td> <td class="confluenceTd"><p class="para">Dictionary</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSExceptionMinimumTLSVersion</code></p></td> <td class="confluenceTd"><p class="para">String</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSExceptionRequiresForwardSecrecy</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSExceptionAllowsInsecureHTTPLoads</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSIncludesSubdomains</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSThirdPartyExceptionMinimumTLSVersion</code></p></td> <td class="confluenceTd"><p class="para">String</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSThirdPartyExceptionRequiresForwardSecrecy</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> <tr> <td class="confluenceTd"><p class="para"><code class="code-voice">NSThirdPartyExceptionAllowsInsecureHTTPLoads</code></p></td> <td class="confluenceTd"><p class="para">Boolean</p></td> </tr> </tbody> </table><p><p></p></p>Nsapptransportsecurity<p><p>A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app ' s info.plist file.</p></p><p><p>A dictionary that overrides ATS standard behavior, which contains the ATS settings. In the App's plist file is the top-level settings directory</p></p>Nsallowsarbitraryloads<p><p>A Boolean value used to disable APP Transport Security for any domains not listed in the Nsexceptiondomains dictionary. Listed domains use the settings specified for that domain. The default value of NO requires the default App Transport Security behavior for all Connections.</p></p><p><p>A Boolean value that can be used to disable ATS for any domain that is not added to the Nsexceptiondomains dictionary. The default value is no, which means that all connections are required to use ATS standards</p></p>Nsexceptiondomains<p><p>A Dictionary of APP Transport Security exceptions for specific domains. Each key was a string containing the domain name for the Exceptions.</p></p><p><p>A dictionary of special ats, with each key value being a string containing a special domain name</p></p><domain-name-for-exception-as-string><p><p>A Dictionary of exceptions for the named Domain. The name of the key is the name of the domain–for example, www.apple.com.</p></p><p><p>The dictionary that holds the special domain, the key value is the domain name</p></p>Nsexceptionminimumtlsversion<p><p>A string that specifies a of the minimum TLS version for Connections. Valid values ARE:TLS v1.0, TLS v1.1, TLS v1.2.</p></p><p><p>TLSV1.2 is the default Value.</p></p><p><p>A string that is the minimum TLS version number to connect to. Valid values are TLSv1.0, TLSv1.1, TLSv1.2. The default value is TLS v1.2</p></p>Nsexceptionrequiresforwardsecrecy<p class="para"><p class="para">A Boolean value for overriding the requirement, the domain support forward secrecy using Ciphers.</p></p><p class="para"><p class="para"><code class="k-constant-name code-voice Objective-C">YES</code>is the default value and limits the ciphers to those shown in <span class="x-name-no-link">default Behavior.</span></p></p><p class="para"><p class="para">Setting the value to <code class="k-constant-name code-voice Objective-C">NO</code> adds the following the list of accepted Ciphers:</p></p> <ul class="list-bullet"> <ul class="list-bullet"> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_256_GCM_SHA384</code></p></li> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_128_GCM_SHA256</code></p></li> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_256_CBC_SHA256</code></p></li> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_256_CBC_SHA</code></p></li> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_128_CBC_SHA256</code></p></li> <li class="item"><p class="para"><code class="code-voice">TLS_RSA_WITH_AES_128_CBC_SHA</code></p></li> </ul> </ul><p><p></p></p><code class="code-voice"><code class="code-voice">NSExceptionAllowsInsecureHTTPLoads</code></code><p class="para"><p class="para">A Boolean value for overriding the requirement, all connections use HTTPS. Use the This key to access domains with no certificate, or with the error for a self-signed, expired, or Hostname-mismatch cert Ificate.</p></p><p class="para"><p class="para"><code class="k-constant-name code-voice Objective-C">NO</code>is the default Value.</p></p><code class="code-voice"><code class="code-voice">NSIncludesSubdomains</code></code><p class="para"><p class="para">A Boolean value for applying the overrides to all subdomains of the top-level domain.</p></p><p class="para"><p class="para"><code class="k-constant-name code-voice Objective-C">NO</code>is the default Value.</p></p><code class="code-voice"><code class="code-voice">NSThirdPartyExceptionMinimumTLSVersion</code></code><p class="para"><p class="para">A version of used when the domain was an app service, That's not controlled by the <code class="code-voice">NSExceptionMinimumTLSVersion</code> Developer.</p></p><code class="code-voice"><code class="code-voice">NSThirdPartyExceptionRequiresForwardSecrecy</code></code><p class="para"><p class="para">A version of used when the domain was an app service, That's not controlled by the <code class="code-voice">NSExceptionRequiresForwardSecrecy</code> Developer.</p></p>Nsthirdpartyexceptionallowsinsecurehttploads<p><p>A version of nsexceptionallowsinsecurehttploads used when the domain was an app service, That's not controlled by the Devel Oper.</p></p><span class="s1"><span class="s1">Reference</span></span>http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/http://www.neglectedpotential.com/ 2015/06/working-with-apples-application-transport-security/https://developer.apple.com/library/prerelease/ios/ releasenotes/general/whatsnewinios/articles/ios9.htmlhttps://developer.apple.com/library/prerelease/ios/ Releasenotes/developertools/rn-xcode/chapters/xc7_release_notes.html#//apple_ref/doc/uid/tp40001051-ch5-sw1<p><p> About the app Transport security update, Chinese and English control--xcode 7--ios9 </p> </p></span>