文档章节

关于iOS9中的App Transport Security相关说明及适配(更新于2016.7.1)

vimfung
 vimfung
发布于 2015/08/19 17:18
字数 3869
阅读 45545
收藏 21
2016.7.1 根据苹果官方文档的修改做出文档的调整,并加入对诊断ATS的命令行工具nscurl进行说明。
2015.8.19 解决在iOS9下基于ATS对HTTP的请求的说明及适配进行说明

 

iOS9中新增App Transport Security(简称ATS)特性, 主要使到原来请求的时候用到的HTTP,都转向TLS1.2协议进行传输。这也意味着所有的HTTP协议都强制使用了HTTPS协议进行传输。原文如下:

App Transport Security

 

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file

如果我们在iOS9下直接进行HTTP请求是会收到如下错误提示:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

系统会告诉我们不能直接使用HTTP进行请求,需要在Info.plist新增一段用于控制ATS的配置:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

也即:

这段配置中的NSAppTransportSecurity是ATS配置的根节点,配置了节点表示告诉系统要走自定义的ATS设置。而NSAllowsAritraryLoads节点则是控制是否禁用ATS特性,设置YES就是禁用ATS功能。

ATS是在iOS 9.0 和 OS X v10.11版本中增加的特性,使用iOS 9.0或者OS X v10.11的SDK版本(或更新的SDK)进行编译应用时会默认启动ATS。则需要对ATS进行配置。如果使用iOS 9.0或者OS X v10.11之前的SDK版本编译的应用默认是禁止ATS的,因此不会影响应用的网络连接方面的功能(即使在iOS 9.0的机子上跑也是不影响的)。

直到前面的配置可以完美的适配iOS9了,但是如果你想遵循苹果给出的标准,让自己的数据更加安全,那么需要继续往下看。

其实ATS并不单单针对HTTP进行了限制,对HTTPS也有一定的要求,以百度的地址为例(注:举该栗子的时候百度是还没符合ATS的要求的,现在百度已经支持ATS),如果在App中请求https://www.baidu.com的话,是会收到如下的错误信息:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

查阅了一下官方资料(https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33),发现HTTPS的请求需要满足下面的要求:

Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

 

  • The server certificate must meet at least one of the following trust requirements:

    • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

    • Issued by a trusted root CA and installed by the user or a system administrator

  • The negotiated Transport Layer Security version must be TLS 1.2

  • The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • The leaf server certificate must be signed with one of the following types of keys:

    • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

    • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

    In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).

根据原文描述,首先颁发给服务器证书的证书机构(CA)的根证书必须是内置于操作系统(哪些根证书被信任可以查看https://support.apple.com/zh-cn/HT205205,或者在你的机子的设置-通用-关于本机最下面的“进一步了解被信任的证书”中查看)或者受用户或者系统管理员信任并安装到操作系统上的。而且必须要基于TLS 1.2版本协议。再来就是连接的加密方式要提供Forward Secrecy(FS正向保密,感兴趣的筒子可以看看这个https://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html),文档中罗列出了支持的加密算法(上面的原文中有说明,我把它独立抽出来放到下面表格中查看)。最后就是证书至少要使用一个SHA256的指纹与任一个2048位或者更高位的RSA密钥,或者是256位或者更高位的ECC密钥。如果不符合其中一项,请求将被中断并返回nil。

支持Forward Secrecy的加密方式

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

我们再来看刚才的百度的地址,用浏览器打开百度的地址,然后点击链接前面的锁图标,如图:

可以看到它使用了TLS 1.2版本协议,符合上面所说的TLS版本的约定。

然后在点击证书信息,查看颁发给它证书的CA的根证书,如图:

可以看到它的根证书名称是:VeriSign Class 3 Public Primary Certification Authority - G5,根据这个名字在之前提供URL中去寻找iOS9下受信任的根证书是否有存在该证书,结果是可以找到对应的证书信息的,如下图所示:

最后回到之前的连接信息面板可以看到使用AES_128_GCM进行加密,并使用ECDHE_RSA作为密钥交换机制的,我们可以在Forward Secrecy的列表中找到对应两条记录:

 

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

但是还不能确定百度是否提供Forward Secrecy,我们再点开证书信息,查看“签发者名称”和“公共密钥信息”两项,如图:

看到签名算法中写着“带RSA加密的SHA-1”。可以判定该加密算法不包含在上面两项中。因此百度是一个不符合ATS的要求,所以返回了错误。这时候,如果要解决这样的问题,同样需要对ATS进行配置。配置如下:

<key>NSAppTransportSecurity</key>
<dict>
	<key>NSExceptionDomains</key>
	<dict>
		<key>baidu.com</key>
		<dict>
			<key>NSIncludesSubdomains</key>
			<true/>
			<key>NSExceptionRequiresForwardSecrecy</key>
			<false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
		</dict>
	</dict>
</dict>

其中NSIncludesSubdomains设置为YES表示百度的子级域名都使用相同设置。NSExceptionRequiresForwardSecrecy为NO由于百度不支持ForwardSecrecy,因此屏蔽掉改功能。最后NSExceptionAllowInsecureHTTPLoads设置为YES,则表示允许访问没有证书或者是自签名、过期、主机名不匹配的证书引发的错误的域名(这里检查过百度的证书貌似没有什么问题,但是还是需要设置此项才允许访问)。

----------------------------

在最近的测试中由于百度已经支持ATS(昨天@Jolie_Yang给我留言才知道的^_^),而我在不配置任何ATS设置的时候使用NSURLConnection去测试https://www.baidu.com返回的结果还是报错的。后来,我用NSURLSession去测试该网址发现是可以正常访问。

苹果官方是推荐使用NSURLSession去做HTTP请求的,虽然说NSURLConnection同样支持ATS方面的特性,但从我上面的测试来看估计它们两者的默认行为上有些不一样,所以如果还在使用NSURLConnection的同学应该尽早切换到NSURLSession上,避免产生一些不必要错误。

最后,说到如何诊断一个URL是否支持ATS,这里给大家介绍一些nscurl这个命令行工具,这个工具是OS X v10.11上新增的,主要用于诊断ATS带来的连接问题,利用它可以在命令行中直接检测一个URL地址是否支持ATS。其用法如下:

/usr/bin/nscurl --ats-diagnostics [--verbose] URL

URL - 表示用来诊断的网址

verbose - 该选项将会为每次的连接包含更多信息,包括使用到Info.plist中的哪些key和对应的值也会列出来。

还是以百度为例,对其https://baidu.com进行诊断,命令如下:

nscurl --ats-diagnostics https://baidu.com

其输出信息如下:

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://baidu.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
2016-07-19 17:51:43.156 nscurl[7936:828662] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Result : FAIL
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
Result : PASS
---

================================================================================

Configuring TLS exceptions for baidu.com

---
TLSv1.2
Result : FAIL
---

---
TLSv1.1
Result : FAIL
---

---
TLSv1.0
Result : FAIL
---

================================================================================

Configuring PFS exceptions for baidu.com

---
Disabling Perfect Forward Secrecy
Result : FAIL
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for baidu.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
Result : FAIL
---

================================================================================

Configuring TLS exceptions with PFS disabled for baidu.com

---
TLSv1.2 with PFS disabled
Result : FAIL
---

---
TLSv1.1 with PFS disabled
Result : FAIL
---

---
TLSv1.0 with PFS disabled
Result : FAIL
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for baidu.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
Result : FAIL
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
Result : FAIL
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
Result : FAIL
---

================================================================================

可以看到除了Allowing Arbitrary Loads一项的Result是Pass,其他的Result都是FAIL,那这证明了baidu.com还没有支持ATS,但是从它的证书来看是已经支持的了,为了了解更详细的信息,我们把verbose选项加入再进行诊断一下,来了解更多的信息,命令如下:

nscurl --ats-diagnostics --verbose https://baidu.com

其信息输出如下:

vimfungdeMac-mini:~ vimfung$ nscurl --ats-diagnostics --verbose https://baidu.com
Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://baidu.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
2016-07-19 17:57:24.887 nscurl[7971:833843] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac41703970 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : PASS
---

================================================================================

Configuring TLS exceptions for baidu.com

---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac4164cc20 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac4143dfc0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac4143e480 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

Configuring PFS exceptions for baidu.com

---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac414358c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for baidu.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac416589a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

Configuring TLS exceptions with PFS disabled for baidu.com

---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac41633bf0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac414625e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac41464e40 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for baidu.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac41468d40 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac4146a6e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1022 "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." UserInfo={NSUnderlyingError=0x7fac416932b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}, NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}
---

================================================================================

可以看到了更多的信息,包括了Info.plist中的配置项和请求的错误描述信息。其中发现当请求https://baidu.com的时候,它会报NSErrorFailingURLKey=http://www.baidu.com。所以,我估计是百度对这个网址进行了跳转,而跳转到的地址就是http://www.baidu.com,所以不可靠的HTTP连接都被ATS被拦截了,才会出现Fail的结果。

因此,我尝试换了https://www.baidu.com再次进行测试,其输入结果如下:

vimfungdeMac-mini:~ vimfung$ nscurl --ats-diagnostics --verbose https://www.baidu.com
Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.baidu.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : PASS
---

================================================================================

Configuring TLS exceptions for www.baidu.com

---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
Result : PASS
---

---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
Result : PASS
---

---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
Result : PASS
---

================================================================================

Configuring PFS exceptions for www.baidu.com

---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.baidu.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled for www.baidu.com

---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.baidu.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.baidu.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

输出的结果都是Pass的了,那证明百度还是支持ATS的。好了,这是我最新对ATS的研究,希望对大家有用。

© 著作权归作者所有

vimfung

vimfung

粉丝 61
博文 59
码字总数 85338
作品 4
广州
技术主管
私信 提问
加载中

评论(22)

vimfung
vimfung 博主

引用来自“Z_Lukas”的评论

楼主我设置NSAllowsArbitraryLoads为NO,开启ATS,我们系统的API接口是支持的,但是在七牛服务器上有图片和文章的内容,需要访问七牛服务器的一个域名,但是这个域名只能用http访问,如果我把她设置成下边 这个是执行命令出来的ATS Dictionary:
{
NSExceptionDomains = {
"七牛服务器域名" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
这里边我设置了NSExceptionAllowsInsecureHTTPLoads = YES苹果审核会被拒吗?另外我的WKWebView访问的界面里边有视频,我在开启ATS的时候iOS9里边无法播放,iOS10里边可以正常访问这个怎么支持呢?只能是使用SFSafariViewController支持iOS9 还是我打开ATS呢?
如果需要添加ExceptionDomian,那么最好是在提审的时候说明一下这个为什么要这样做,给一个合理的理由。
然后iOS9无法播放的问题,从目前来看确实是只能用SFSafariViewController来代替WKWebView。
Z
Z_Lukas
楼主我设置NSAllowsArbitraryLoads为NO,开启ATS,我们系统的API接口是支持的,但是在七牛服务器上有图片和文章的内容,需要访问七牛服务器的一个域名,但是这个域名只能用http访问,如果我把她设置成下边 这个是执行命令出来的ATS Dictionary:
{
NSExceptionDomains = {
"七牛服务器域名" = {
NSExceptionAllowsInsecureHTTPLoads = true;
NSExceptionMinimumTLSVersion = "TLSv1.2";
NSExceptionRequiresForwardSecrecy = false;
};
};
}
Result : PASS
---
这里边我设置了NSExceptionAllowsInsecureHTTPLoads = YES苹果审核会被拒吗?另外我的WKWebView访问的界面里边有视频,我在开启ATS的时候iOS9里边无法播放,iOS10里边可以正常访问这个怎么支持呢?只能是使用SFSafariViewController支持iOS9 还是我打开ATS呢?
vimfung
vimfung 博主

引用来自“Passer_by_”的评论


楼主你好,有个问题一直搞不明白。项目中如果使用了第三方库,因为不支持ATS需要设置NSExceptionDomains,那么根键NSAllowsArbitraryLoads是设置成YES还是NO呢?如果是设置成YES,提交应用的时候是不是要做特俗说明啊?
NSAllowsArbitraryLoads设置成YES就不需要在设置NSExceptionDomains了,因为ATS已经被禁用。目前来说是不需要什么说明,不过明年开始苹果对这块会做严格的要求,如果禁用了ATS估计你要有正当的理由,否则就有可能会被拒绝
Passer_by_
Passer_by_

楼主你好,有个问题一直搞不明白。项目中如果使用了第三方库,因为不支持ATS需要设置NSExceptionDomains,那么根键NSAllowsArbitraryLoads是设置成YES还是NO呢?如果是设置成YES,提交应用的时候是不是要做特俗说明啊?
vimfung
vimfung 博主

引用来自“wodetianA”的评论

你好我查到我们公司的域名都是PASS 是不是NSAllowsAritraryLoads可以不用设置了
是的
wodetianA
wodetianA
你好我查到我们公司的域名都是PASS 是不是NSAllowsAritraryLoads可以不用设置了
vimfung
vimfung 博主

引用来自“编bian码”的评论

楼主,你好,我这边项目已经做了ATS配置,包括Allowing Arbitrary Loads也设置成了YES,但是总是隔一段时间就提示连接不到服务器,然后我照着你说的方法去测试是否支持ATS,发现这个URL返回的全都是FAIL,包括Allowing Arbitrary Loads也是显示FAIL,这个是怎么回事啊?要怎么解决?头痛了好几天....
建议检查一下证书是否符合要求,如果返回FAIL,那就证明证书还是有问题。
编bian码
楼主,你好,我这边项目已经做了ATS配置,包括Allowing Arbitrary Loads也设置成了YES,但是总是隔一段时间就提示连接不到服务器,然后我照着你说的方法去测试是否支持ATS,发现这个URL返回的全都是FAIL,包括Allowing Arbitrary Loads也是显示FAIL,这个是怎么回事啊?要怎么解决?头痛了好几天....
vimfung
vimfung 博主

引用来自“拾荒少年v”的评论

又看了证书是符合的,但我使用afnetworking 请求https 还是会报 Error Domain=NSURLErrorDomain Code=-1004 "Could not connect to the server."

求助啊啊啊
你这个不是ATS导致的错误吧,它提示的是无法连接服务器,是不是你的请求地址无法访问。
拾荒少年v
拾荒少年v
又看了证书是符合的,但我使用afnetworking 请求https 还是会报 Error Domain=NSURLErrorDomain Code=-1004 "Could not connect to the server."

求助啊啊啊
iOS 如何升级到https

由于苹果规定2017年1月1日以后,所有APP都要使用HTTPS进行网络请求,否则无法上架,因此研究了一下在iOS中使用HTTPS请求的实现。网上搜索了一些比较有用资料,大家可以参考下 苹果强制升级的H...

卡奇匠
2016/12/13
229
0
Xcode7.0.1(ios9)的部分适配问题

今天更新了Xcode 7 正式版,App编译出现很多警告,在App运行的时候出现如下的提示......... the resource could not be loaded because the app transport security policy requires the use o......

Align
2015/12/30
42
0
Swift开发记录 - 升级Xcode7&iOS9带来的问题

iOS9官方说明 多任务模式 默认情况下iPadAir2开始支持了多任务模式,虽然看起来不错。但是这个功能给一些旧项目带来了一个问题,也就是在默认情况下,你的应用需要支持所有设备方向(上下左右...

Destroy001
2015/10/29
208
0
fir.im Weekly - iOS9 适配开发教程

期待已久的 iOS 9 发布了,很多人更新完毕得出结论:这是值得升级的版本。随之而来的是适应 iOS9 开发技术。本期 Weekly 收集了一些关于 iOS9 相关的开发资源,希望对你有帮助。 iOS9 适配开...

风起云飞fir_im
2015/09/22
102
0
iOS-初识网络(一)

iOS中的网络请求可以从如下的类中体现: NSURL: NSURLRequest: NSURLConnection: NSURLResponse: NSURLSession: iOS9+ 1:网络的url决定着和谁通信: url格式 2:怎么通信:多个客户端用不同...

Nlinger
2017/12/06
0
0

没有更多内容

加载失败,请刷新页面

加载更多

springboot 403 问题

添加WebAppConfigurer 配置 @Configuration@EnableAutoConfigurationpublic class WebAppConfigurer extends WebMvcConfigurerAdapter { public WebAppConfigurer() { } ......

布袋和尚_爱吃鱼
26分钟前
3
0
Python自动更换壁纸爬虫与tkinter结合

直接上代码 import ctypesimport timeimport requestsimport osfrom threading import Threadfrom tkinter import Tk, Label, Button,Entry,StringVar,messagebox# '放到AppData\Roami......

物种起源-达尔文
27分钟前
3
0
Postgresql Study 笔记

Postgresql 安装 Windows, MAC Install Postgresql 下载地址: https://www.enterprisedb.com/downloads/postgres-postgresql-downloads Linux Install sudo apt-get update sudo apt-get in......

slagga
29分钟前
4
0
layer.open 打开新页面传参问题

如图所示,点击出售,把A页面的数据传到弹框上面,因为弹框比较复杂,所以使用引入一个新页面。 A.html a.js B.html b.js 1、第一种方案 sellInte: function (){ var obj = document.g...

木九天
32分钟前
4
0
沙龙报名 | 区块链数据服务技术应用实践

京东云是国内首家提供区块链数据在线分析服务产品的公司,也是行业内首家对区块链数据服务进行开源的公司。 本次沙龙是京东云BDS开源后,首次在深圳举办线下沙龙,我们将邀请京东云BDS团队核...

京东云技术新知
32分钟前
4
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部