關於App Transport Security的更新，中英文對照，apptransport

關於App Transport Security的更新，中英文對照，apptransport
章節都為本人定義，無抄襲，其中英文部分內容為官方文檔摘抄以及自己總結，翻譯的不好，敬請指正App Transport Security(暫且翻譯為app傳輸安全)What is ATS？

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

ATS為app應用和後台之間的安全連線提供了一個很好地規範，ATS阻止了額外的訊息泄露，提供了安全規範的行為，並且很容易採用。同時最早提供在iOS 9 和 OS X v10.11之間的互動中。開發人員應該儘快的採用ATS，無論是建立還是更新app。

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file

如果你正在開發一個新的應用，你應該只用HTTPS協議。如果你已經有一個app，你應該現在就儘可能地用HTTPS，並且有計劃地儘快改動剩下的部分。另外通過高等級API進行的通訊需要用 採用forward secrecy的TLS 1.2進行編碼。如果你試著建立一個不符合標準的串連，將會拋出錯誤。如果你的app需要向一個不可靠的域發送請求，你必須在你的plist檔案裡指定這個域。

ATS requirements:

       All connections using the NSURLConnection, CFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. 

所有用到 NSURLConnection, CFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 以後的版本都用ATS的標準行為進行編譯. 沒有滿足ATS要求的串連將會失敗。

       These are the App Transport Security requirements: 

滿足ATS需要下列要求：

• The server must support at least Transport Layer Security (TLS) protocol version 1.2.     必須是TLS協議1.2之後的版本

• Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)   必須是提供forward secrecy的串連加密(查看後面的可通過的加密規則)

• Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

  Invalid certificates result in a hard failure and no connection.   認證必須是用SHA256或者更好的簽名hash演算法，可以用一個2048bit key或者 RSA key 或者 ECCkey

These are the accepted ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If your connect not apply to the requirements, you will get the error followed:

如果串連不滿足要求，將會報下列錯誤：

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

 

How to set ATS with HTTPS not apply to ATS? （設定不滿足要求的HTTPS協議）

<key>NSAppTransportSecurity</key><dict><key>NSExceptionDomains</key><dict><key>api.circletable.com</key><dict><key>NSIncludesSubdomains</key>                <true/><key>NSExceptionRequiresForwardSecrecy</key>   <false/>                                <key>NSExceptionAllowsInsecureHTTPLoads</key>  <true/></dict></dict></dict>

 

NSIncludesSubdomains設定為YES表示子級網域名稱和父級網域名稱都使用相同設定。

NSExceptionRequiresForwardSecrecy為NO 如果當前HTTPS不支援ForwardSecrecy，屏蔽掉改功能。

NSExceptionAllowInsecureHTTPLoads設定為YES，則表示允許訪問沒有認證或者是自簽名、到期、主機名稱不匹配的認證引發的錯誤的網域名稱。

 

 

How and when to disable ATS？（什麼時候不使用ATS，怎樣取消ATS）

在iOS 9下直接用http請求會收到如下錯誤

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.

如果需要支援Http，需要在info.plist中添加欄位:

<key>NSAppTransportSecurity</key><dict>    <key>NSAllowsArbitraryLoads</key>    <true/></dict>

NSAllowsAritraryLoads部分表示禁用ATS

 

The property keys（可設定的屬性）

 

Keys	Type
NSAppTransportSecurity	Dictionary
NSAllowsArbitraryLoads	Boolean
NSExceptionDomains	Dictionary
<domain-name-for-exception-as-string>	Dictionary
NSExceptionMinimumTLSVersion	String
NSExceptionRequiresForwardSecrecy	Boolean
NSExceptionAllowsInsecureHTTPLoads	Boolean
NSIncludesSubdomains	Boolean
NSThirdPartyExceptionMinimumTLSVersion	String
NSThirdPartyExceptionRequiresForwardSecrecy	Boolean
NSThirdPartyExceptionAllowsInsecureHTTPLoads	Boolean

 

NSAppTransportSecurity

A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app’s Info.plist file.

一個用於重寫ATS標準行為的字典，裡麵包含ATS的設定。在app的plist檔案裡是頂級設定目錄

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behavior for all connections.

一個布爾值，對於任何沒有在NSExceptionDomains的字典裡添加的域，可以用這個值來禁用ATS。 預設值為NO，表示所有串連都需要採用ATS標準

NSExceptionDomains

A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the exceptions.

存放特殊ATS的字典，每個索引值是一個包含特殊網域名稱的字串

<domain-name-for-exception-as-string>

A dictionary of exceptions for the named domain. The name of the key is the name of the domain–for example, www.apple.com.

存放特殊域的字典，索引值是網域名稱

NSExceptionMinimumTLSVersion

 A string that specifies a the minimum TLS version for connections. Valid values are:TLS v1.0, TLS v1.1, TLS v1.2.

TLSV1.2 is the default value.

一個為串連最小TLS版本號碼的字串。有效值是TLSv1.0, TLSv1.1, TLSv1.2. 預設的值是TLS v1.2

NSExceptionRequiresForwardSecrecy

A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YES is the default value and limits the ciphers to those shown in Default Behavior.

Setting the value to NO adds the following the list of accepted ciphers:

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA

 

NSExceptionAllowsInsecureHTTPLoads

A Boolean value for overriding the requirement that all connections use HTTPS. Use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.

NO is the default value.

NSIncludesSubdomains

A Boolean value for applying the overrides to all subdomains of the top-level domain.

NO is the default value.

NSThirdPartyExceptionMinimumTLSVersion

A version of NSExceptionMinimumTLSVersion used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionRequiresForwardSecrecy

A version of NSExceptionRequiresForwardSecrecy used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionAllowsInsecureHTTPLoads

A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.

Referencehttp://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.htmlhttps://developer.apple.com/library/prerelease/ios/releasenotes/DeveloperTools/RN-Xcode/Chapters/xc7_release_notes.html#//apple_ref/doc/uid/TP40001051-CH5-SW1