IOS-關(guān)于App Transport Security相關(guān)說明及適配

轉(zhuǎn)載自[http://blog.csdn.net/maxdong24/article/details/53610127]

iOS9中新增App Transport Security(簡(jiǎn)稱ATS)特性, 主要使到原來請(qǐng)求的時(shí)候用到的HTTP,都轉(zhuǎn)向TLS1.2協(xié)議進(jìn)行傳輸。這也意味著所有的HTTP協(xié)議都強(qiáng)制使用了HTTPS協(xié)議進(jìn)行傳輸。原文如下:

App Transport Security

App Transport Security (ATS) enforces best practices in the 
secure connections between an app and its back end. ATS 
prevents accidental disclosure, provides secure default behavior, 
and is easy to adopt; it is also on by default in iOS 9 and OS X 
v10.11. You should adopt ATS as soon as possible, regardless of 
whether you’re creating a new app or updating an existing one. 
If you’re developing a new app, you should use HTTPS exclusively. 
If you have an existing app, you should use HTTPS as much as you 
can right now, and create a plan for migrating the rest of your app 
as soon as possible. In addition, your communication through 
higher-level APIs needs to be encrypted using TLS version 1.2 with 
forward secrecy. If you try to make a connection that doesn’t 
follow this requirement, an error is thrown. If your app needs to 
make a request to an insecure domain, you have to specify this 
domain in your app’s Info.plist file.

如果我們?cè)趇OS9下直接進(jìn)行HTTP請(qǐng)求是會(huì)收到如下錯(cuò)誤提示:

App Transport Security has blocked a cleartext HTTP ([http://] resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.

新特性要求App內(nèi)訪問的網(wǎng)絡(luò)必須使用HTTPS協(xié)議,具體內(nèi)容大家可以自行度娘,

我們這里只是說明一下如何關(guān)閉該特性,讓其可以訪問http開頭的網(wǎng)址.

關(guān)閉很簡(jiǎn)單,打開項(xiàng)目中的info.plist文件,在其中添加一個(gè)字典類型的項(xiàng)目App Transport Security Settings,然后在其中添加一個(gè)key:Allow Arbitrary Loads,其值為YES.如下所示:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

這段配置中的NSAppTransportSecurity是ATS配置的根節(jié)點(diǎn),配置了節(jié)點(diǎn)表示告訴系統(tǒng)要走自定義的ATS設(shè)置。而NSAllowsAritraryLoads節(jié)點(diǎn)則是控制是否禁用ATS特性,設(shè)置YES就是禁用ATS功能。

如果想要設(shè)置某個(gè)域名禁用ATS可以在plist文件中加以下代碼:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>your domain</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

NSIncludesSubdomains設(shè)置為YES表示百度的子級(jí)域名都使用相同設(shè)置。

NSExceptionRequiresForwardSecrecy為NO由于網(wǎng)址不支持ForwardSecrecy,因此屏蔽掉改功能。

NSExceptionAllowInsecureHTTPLoads設(shè)置為YES,則表示允許訪問沒有證書或者是自簽名、過期、主機(jī)名不匹配的證書引發(fā)的錯(cuò)誤的域名(這里檢查過百度的證書貌似沒有什么問題,但是還是需要設(shè)置此項(xiàng)才允許訪問)。

ATS是在iOS 9.0 和 OS X v10.11版本中增加的特性,使用iOS 9.0或者OS X v10.11的SDK版本(或更新的SDK)進(jìn)行編譯應(yīng)用時(shí)會(huì)默認(rèn)啟動(dòng)ATS。則需要對(duì)ATS進(jìn)行配置。如果使用iOS 9.0或者OS X v10.11之前的SDK版本編譯的應(yīng)用默認(rèn)是禁止ATS的,因此不會(huì)影響應(yīng)用的網(wǎng)絡(luò)連接方面的功能(即使在iOS 9.0的機(jī)子上跑也是不影響的)。
其實(shí)ATS并不單單針對(duì)HTTP進(jìn)行了限制,對(duì)HTTPS也有一定的要求,以百度的地址為例(注:舉該栗子的時(shí)候百度是還沒符合ATS的要求的,現(xiàn)在百度已經(jīng)支持ATS),如果在App中請(qǐng)求https://www.baidu.com的話,是會(huì)收到如下的錯(cuò)誤信息:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

查閱了一下官方資料:(https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33),發(fā)現(xiàn)HTTPS的請(qǐng)求需要滿足下面的要求:

Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

The server certificate must meet at least one of the following trust requirements: 
Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system 
Issued by a trusted root CA and installed by the user or a system administrator 
The negotiated Transport Layer Security version must be TLS 1.2 
The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The leaf server certificate must be signed with one of the following types of keys: 
Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits 
Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits 
In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).

根據(jù)原文描述,首先頒發(fā)給服務(wù)器證書的證書機(jī)構(gòu)(CA)的根證書必須是內(nèi)置于操作系統(tǒng)(哪些根證書被信任可以查看https://support.apple.com/zh-cn/HT205205,或者在你的機(jī)子的設(shè)置-通用-關(guān)于本機(jī)最下面的“進(jìn)一步了解被信任的證書”中查看)或者受用戶或者系統(tǒng)管理員信任并安裝到操作系統(tǒng)上的。而且必須要基于TLS 1.2版本協(xié)議。再來就是連接的加密方式要提供Forward Secrecy(FS正向保密,感興趣的筒子可以看看這個(gè)https://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html),文檔中羅列出了支持的加密算法(上面的原文中有說明,我把它獨(dú)立抽出來放到下面表格中查看)。最后就是證書至少要使用一個(gè)SHA256的指紋與任一個(gè)2048位或者更高位的RSA密鑰,或者是256位或者更高位的ECC密鑰。如果不符合其中一項(xiàng),請(qǐng)求將被中斷并返回nil。
下面舉例說明: 用瀏覽器打開一個(gè)鏈接,然后點(diǎn)擊左側(cè)的小鎖頭,點(diǎn)擊詳細(xì)信息,查看證書和算法等信息。
點(diǎn)擊證書信息,查看頒發(fā)給它證書的CA的根證書,如圖:

這里寫圖片描述

這里寫圖片描述

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

可以看到【帶 RSA 加密的 SHA-256 ( 1.2.840.113549.1.1.11 )】使用了TLS 1.2版本協(xié)議,符合上面所說的TLS版本的約定。

最后,說到如何診斷一個(gè)URL是否支持ATS,這里給大家介紹一些nscurl這個(gè)命令行工具,這個(gè)工具是OS X v10.11上新增的,主要用于診斷ATS帶來的連接問題,利用它可以在命令行中直接檢測(cè)一個(gè)URL地址是否支持ATS。其用法如下:

/usr/bin/nscurl –ats-diagnostics [–verbose] URL

URL - 表示用來診斷的網(wǎng)址
verbose - 該選項(xiàng)將會(huì)為每次的連接包含更多信息,包括使用到Info.plist中的哪些key和對(duì)應(yīng)的值也會(huì)列出來。

輸出的結(jié)果都是Pass的了,那證明你查看的鏈接是支持ATS的。

例,檢測(cè)阿里云官網(wǎng)www.aliyun.com

 /usr/bin/nscurl --ats-diagnostics --verbose https://www.aliyun.com

Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.aliyun.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : PASS
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : PASS
---

================================================================================

Configuring TLS exceptions for www.aliyun.com

---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
Result : PASS
---

---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
Result : PASS
---

---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
Result : PASS
---

================================================================================

Configuring PFS exceptions for www.aliyun.com

---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.aliyun.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled for www.aliyun.com

---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.aliyun.com

---
TLSv1.2 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.1 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.1";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

---
TLSv1.0 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.aliyun.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : PASS
---

================================================================================

如果出現(xiàn)FAIL情況,請(qǐng)看以下兩點(diǎn): 
1.簽名算法–》帶 RSA 加密的 SHA-256 ( 1.2.840.113549.1.1.11 ) 
2.Secure Connection 
The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).

看以上兩點(diǎn)是否匹配。
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容