How do I select and configure a certificate to support Apple ATS? - SSL Certificates| Alibaba Cloud Documentation Center

From January 1, 2017, Apple requires that all iOS applications use App Transport Security (ATS). This way, iOS applications can communicate over HTTPS, which improves security.

Note Alibaba Cloud CDN and Server Load Balancer (SLB) use the HTTPS configurations that meet the requirements of ATS.

Certificate configuration requirements

The following table lists the certificate requirements that must be met to support ATS:


Item	Description
Certificate authority (CA)	We recommend that you use organization validated (OV) or extended validation (EV) certificates that are issued from Entrust or GlobalSign.
Hash algorithm and key length	Hash algorithm: Entrust and GlobalSign certificates use the SHA-256 algorithm or algorithms that provide higher security. This meets the requirements of ATS. Key length: If you select Automatic for CSR Generation, a key that is generated by the system uses 2048-bit RSA encryption. This meets the requirements of ATS. If you select Manual for CSR Generation, you must use 2048-bit or higher RSA encryption.
Transmission protocol	Make sure that Transport Layer Security (TLS) 1.2 is configured on your web server because you need to enable TLS 1.2 on your web server to support ATS. If you use a web server that has OpenSSL installed, you must use OpenSSL 1.0 or later versions. We recommend that you use OpenSSL 1.0.1 or later versions. If you use a web server on which the Java runtime environment (JRE) is installed, you must use JDK 1.7 or later versions. If you use other web server except IIS 7.5 and Weblogic 10.3.6 servers and if your server version meets the requirements, TLS 1.2 is enabled by default. Before you can enable TLS 1.2 on your web server, make sure that the configurations of your web server meet the following requirements: If you use an Apache or NGINX web server, you must use OpenSSL 1.0 or later versions. If you use a web server that runs Tomcat 7 or later versions, you must use JDK 7.0 or later versions. By default, TLS 1.2 is disabled on IIS 7.5 web servers. If you want to enable TLS 1.2, you must modify the registry on your web server. After you download and import the ats.reg registry script, you must restart or log off from your web server to validate TLS 1.2. IBM Domino Server 9.0.1 FP3 web servers support TLS 1.2. However, we recommend that you use IBM Domino 9.0.1 Server FP5 web servers to support ATS. For more information, see IBM HTTP SSL Server Questions and Answers. Web servers that run IBM HTTP Server 8.0 or later versions support TLS 1.2. We recommend that you use web servers that run IBM HTTP Server 8.5 or later versions to support ATS. If your web server runs Weblogic 10.3.6 or later versions, you must use Java 7 or later versions. Note In Weblogic 10.3.6, multiple SHA-256 compatibility issues are detected. We recommend that you use web servers that run Weblogic 12 or later versions. If you persist to use web servers that run Weblogic 10.3.6, you must configure frontend Apache or NGINX proxy that is based on HTTPS or configure frontend load balancing. Webspere V7.0.0.23 and later versions, Webspere V8.0.0.3 and later versions, and Webspere V8.5.0.0 and later versions support TLS 1.2. For more information about how to configure Webspere web servers to support TLS 1.2, see Configure websphere application server SSL protocol to TLS 1.2.
Signature algorithm	The signature algorithm must be one of the following algorithms: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Configuration examples

The following examples describe how to configure the attributes that meet the requirements of ATS and encryption suites for different types of web servers.

Notice In the following examples, only the attributes that meet the requirements of ATS are included. In actual case, you must configure the attributes and encryption suites based on your server conditions.

Part of the NGINX configuration file

The ssl_ciphers and ssl_protocols attributes in the NGINX configuration file meet the requirements of ATS.


server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}

Part of the Tomcat configuration file

The SSLProtocol and SSLCipherSuite attributes in the Tomcat configuration file meet the requirements of ATS.


<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLProtocol="TLSv1.1+TLSv1.2+ TLSv1.3"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />

For more information about how to configure IIS web servers, see Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength. You can also use a visualized plug-in to configure IIS web servers. For more information, see IIS Crypto.

ATS tool

You can run the nscurl --ats-diagnostics --verbose URL command by using a system tool on macOS to check whether your certificate meets the requirements of ATS.