Apache和Nginx配置支持蘋果ATS方法

什麼是ATS功能?

ATS是iOS9和OS X El Capitan的一個新特性。開啓該功能後，ATS對使用NSURLConnection, CFURL或NSURLSession 等APIs 進行的網絡請求默認強制使用HTTPS加密傳輸，目標是提升Apple 操做系統以及應用程序的安全性。

WWDC 16 中，Apple 表示將繼續在 iOS 10 和OS X 10.12 中持續收緊對普通 HTTP站點的訪問限制。從 2017 年 1 月 1 日起，全部新提交到appstore中的 app 默認都將再也不容許使用 NSAllowsArbitraryLoads 來繞過 ATS 限制的。也就是說，咱們最好保證 與app 通信的全部網絡服務器都部署了 HTTPS 加密的，不然可能會在應用審覈時遇到大麻煩。

蘋果公司官方文章指出，https必須符合ATS要求，服務器必須支持傳輸層安全(TLS)協議1.2以上版本;證書必須使用SHA256或更高的 哈希算法簽名，並使用2048位以上RSA密鑰或256位以上ECC算法;使用安全度更高的ECDHE加密套件。下面是蘋果官方要求的3點關於SSL的技 術要點：

Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

 

The server certificate must meet at least one of the following trust requirements:

Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

Issued by a trusted root CA and installed by the user or a system administrator

The negotiated Transport Layer Security version must be TLS 1.2

The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:

 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The leaf server certificate must be signed with one of the following types of keys:

Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).

If ATS is not enabled, the system still performs HTTPS server trust evaluation but you can override it on a case-by-case basis, as described in HTTPS Server Trust Evaluation. With ATS fully enabled, you cannot override the default HTTPS server trust evaluation.

 

其中須要證書必須使用SHA256或更高的哈希算法簽名，並使用2048位以上RSA密鑰或256位以上ECC算法證書。支持TLS1.2協議和ECDHE算法須要在 Services端作相應的調整。

Nginx中，須要修改nginx.conf，在其中SSL部分修改配置：

        server { 

                listen       443; 

                server_name  localhost; 

                ssl                  on; 

                ssl_certificate      yourdomain_bundle.crt; 

                ssl_certificate_key  yourdomain.key; 

                ssl_session_timeout  5m; 

                ssl_session_cache    shared:SSL:1m;

                ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

                ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!aNULL:!eNULL;

        location / { 

                    root   html; 

                    index  index.html index.htm; 

                } 

        } 

因爲容器的一些限制，在解決IOS ATS適配SSL的問題上面推薦使用apache和nginx來安裝證書，同時openssl的版本建議使用 1.0.1+,由於openssl在1.0.1之後纔開始支持TLSv1.2協議，介於一些其餘漏洞的因素，openssl版本 官方推薦使用1.0.1g+版本.