關於App Transport Security的更新，中英文對照 --Xcode 7 --iOS9

章節都爲本人定義，無抄襲，其中英文部份內容爲官方文檔摘抄以及本身總結，翻譯的很差，敬請指正

App Transport Security(暫且翻譯爲app傳輸安全)

What is ATS？

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

ATS爲app應用和後臺之間的安全鏈接提供了一個很好地規範，ATS阻止了額外的消息泄露，提供了安全規範的行爲，而且很容易採用。同時最先提供在iOS 9 和 OS X v10.11之間的交互中。開發者應該儘快的採用ATS，不管是建立仍是更新app。

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn‘t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app‘s Info.plist file

若是你正在開發一個新的應用，你應該只用HTTPS協議。若是你已經有一個app，你應該如今就儘量地用HTTPS，而且有計劃地儘快改動剩下的部分。另外經過高等級API進行的通訊須要用 採用forward secrecy的TLS 1.2進行編碼。若是你試着創建一個不符合標準的鏈接，將會拋出錯誤。若是你的app須要向一個不可靠的域發送請求，你必須在你的plist文件裏指定這個域。

ATS requirements:

       All connections using the NSURLConnection, CFURL, or NSURLSession APIs use App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. 

全部用到 NSURLConnection, CFURL 或者 NSURLSession 的 API在iOS9.0或者OS X 10.00 之後的版本都用ATS的標準行爲進行編譯. 沒有知足ATS要求的鏈接將會失敗。

       These are the App Transport Security requirements: 

知足ATS須要下列要求：

• The server must support at least Transport Layer Security (TLS) protocol version 1.2.     必須是TLS協議1.2以後的版本

• Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)   必須是提供forward secrecy的鏈接加密(查看後面的可經過的加密規則)

• Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

  Invalid certificates result in a hard failure and no connection.   證書必須是用SHA256或者更好的簽名hash算法，能夠用一個2048bit key或者 RSA key 或者 ECCkey

These are the accepted ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

If your connect not apply to the requirements, you will get the error followed:

若是鏈接不知足要求，將會報下列錯誤：

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

 

How to set ATS with HTTPS not apply to ATS? （設置不知足要求的HTTPS協議）

<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSExceptionDomains</key>
		<dict>
			<key>api.circletable.com</key>
			<dict>
				<key>NSIncludesSubdomains</key>                <true/>
				<key>NSExceptionRequiresForwardSecrecy</key>   <false/>
                                <key>NSExceptionAllowsInsecureHTTPLoads</key>  <true/>
			</dict>
		</dict>
	</dict>

 

NSIncludesSubdomains設置爲YES表示子級域名和父級域名都使用相同設置。

NSExceptionRequiresForwardSecrecy爲NO 若是當前HTTPS不支持ForwardSecrecy，屏蔽掉改功能。

NSExceptionAllowInsecureHTTPLoads設置爲YES，則表示容許訪問沒有證書或者是自簽名、過時、主機名不匹配的證書引起的錯誤的域名。

 

 

How and when to disable ATS？（何時不使用ATS，怎樣取消ATS）

在iOS 9下直接用http請求會收到以下錯誤

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app‘s Info.plist file.

若是須要支持Http，須要在info.plist中添加字段:

<key>NSAppTransportSecurity</key><dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/></dict>

NSAllowsAritraryLoads部分表示禁用ATS

 

The property keys（可設置的屬性）

 

Keys	Type
NSAppTransportSecurity	Dictionary
NSAllowsArbitraryLoads	Boolean
NSExceptionDomains	Dictionary
<domain-name-for-exception-as-string>	Dictionary
NSExceptionMinimumTLSVersion	String
NSExceptionRequiresForwardSecrecy	Boolean
NSExceptionAllowsInsecureHTTPLoads	Boolean
NSIncludesSubdomains	Boolean
NSThirdPartyExceptionMinimumTLSVersion	String
NSThirdPartyExceptionRequiresForwardSecrecy	Boolean
NSThirdPartyExceptionAllowsInsecureHTTPLoads	Boolean

 

NSAppTransportSecurity

A dictionary containing the settings for overriding default App Transport Security behaviors. The top level key for the app’s Info.plist file.

一個用於重寫ATS標準行爲的字典，裏面包含ATS的設置。在app的plist文件裏是頂級設置目錄

NSAllowsArbitraryLoads

A Boolean value used to disable App Transport Security for any domains not listed in the NSExceptionDomains dictionary. Listed domains use the settings specified for that domain.The default value of NO requires the default App Transport Security behavior for all connections.

一個布爾值，對於任何沒有在NSExceptionDomains的字典裏添加的域，能夠用這個值來禁用ATS。 默認值爲NO，表示全部鏈接都須要採用ATS標準

NSExceptionDomains

A dictionary of App Transport Security exceptions for specific domains. Each key is a string containing the domain name for the exceptions.

存放特殊ATS的字典，每一個鍵值是一個包含特殊域名的字符串

<domain-name-for-exception-as-string>

A dictionary of exceptions for the named domain. The name of the key is the name of the domain–for example, www.apple.com.

存放特殊域的字典，鍵值是域名

NSExceptionMinimumTLSVersion

 A string that specifies a the minimum TLS version for connections. Valid values are:TLS v1.0, TLS v1.1, TLS v1.2.

TLSV1.2 is the default value.

一個爲鏈接最小TLS版本號的字符串。有效的值是TLSv1.0, TLSv1.1, TLSv1.2. 默認的值是TLS v1.2

NSExceptionRequiresForwardSecrecy

A Boolean value for overriding the requirement that the domain support forward secrecy using ciphers.

YES is the default value and limits the ciphers to those shown in Default Behavior.

Setting the value to NO adds the following the list of accepted ciphers:

• TLS_RSA_WITH_AES_256_GCM_SHA384

• TLS_RSA_WITH_AES_128_GCM_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA

 

NSExceptionAllowsInsecureHTTPLoads

A Boolean value for overriding the requirement that all connections use HTTPS. Use this key to access domains with no certificate, or with an error for a self-signed, expired, or hostname-mismatch certificate.

NO is the default value.

NSIncludesSubdomains

A Boolean value for applying the overrides to all subdomains of the top-level domain.

NO is the default value.

NSThirdPartyExceptionMinimumTLSVersion

A version of NSExceptionMinimumTLSVersion used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionRequiresForwardSecrecy

A version of NSExceptionRequiresForwardSecrecy used when the domain is an app service that is not controlled by the developer.

NSThirdPartyExceptionAllowsInsecureHTTPLoads

A version of NSExceptionAllowsInsecureHTTPLoads used when the domain is an app service that is not controlled by the developer.

Reference

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

http://www.neglectedpotential.com/2015/06/working-with-apples-application-transport-security/

https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html

https://developer.apple.com/library/prerelease/ios/releasenotes/DeveloperTools/RN-Xcode/Chapters/xc7_release_notes.html#//apple_ref/doc/uid/TP40001051-CH5-SW1