From January 1, 2017, Apple requires that all iOS applications use App Transport Security
(ATS). This way, iOS applications can communicate over HTTPS, which improves security.
Note Alibaba Cloud CDN and Server Load Balancer (SLB) use the HTTPS configurations that
meet the requirements of ATS.
Certificate configuration requirements
The following table lists the certificate requirements that must be met to support
ATS:
Item |
Description |
Certificate authority (CA) |
We recommend that you use organization validated (OV) or extended validation (EV)
certificates that are issued from Entrust or GlobalSign.
|
Hash algorithm and key length |
- Hash algorithm: Entrust and GlobalSign certificates use the SHA-256 algorithm or algorithms
that provide higher security. This meets the requirements of ATS.
- Key length:
- If you select Automatic for CSR Generation, a key that is generated by the system
uses 2048-bit RSA encryption. This meets the requirements of ATS.
- If you select Manual for CSR Generation, you must use 2048-bit or higher RSA encryption.
|
Transmission protocol |
Make sure that Transport Layer Security (TLS) 1.2 is configured on your web server
because you need to enable TLS 1.2 on your web server to support ATS.
- If you use a web server that has OpenSSL installed, you must use OpenSSL 1.0 or later
versions. We recommend that you use OpenSSL 1.0.1 or later versions.
- If you use a web server on which the Java runtime environment (JRE) is installed,
you must use JDK 1.7 or later versions.
- If you use other web server except IIS 7.5 and Weblogic 10.3.6 servers and if your
server version meets the requirements, TLS 1.2 is enabled by default.
Before you can enable TLS 1.2 on your web server, make sure that the configurations
of your web server meet the following requirements:
- If you use an Apache or NGINX web server, you must use OpenSSL 1.0 or later versions.
- If you use a web server that runs Tomcat 7 or later versions, you must use JDK 7.0
or later versions.
-
By default, TLS 1.2 is disabled on IIS 7.5 web servers. If you want to enable TLS
1.2, you must modify the registry on your web server.
After you download and import the ats.reg registry script, you must restart or log off from your web server to validate TLS
1.2.
- IBM Domino Server 9.0.1 FP3 web servers support TLS 1.2. However, we recommend that
you use IBM Domino 9.0.1 Server FP5 web servers to support ATS. For more information,
see IBM HTTP SSL Server Questions and Answers.
- Web servers that run IBM HTTP Server 8.0 or later versions support TLS 1.2. We recommend
that you use web servers that run IBM HTTP Server 8.5 or later versions to support
ATS.
- If your web server runs Weblogic 10.3.6 or later versions, you must use Java 7 or
later versions.
Note In Weblogic 10.3.6, multiple SHA-256 compatibility issues are detected. We recommend
that you use web servers that run Weblogic 12 or later versions. If you persist to
use web servers that run Weblogic 10.3.6, you must configure frontend Apache or NGINX
proxy that is based on HTTPS or configure frontend load balancing.
- Webspere V7.0.0.23 and later versions, Webspere V8.0.0.3 and later versions, and Webspere
V8.5.0.0 and later versions support TLS 1.2. For more information about how to configure
Webspere web servers to support TLS 1.2, see Configure websphere application server SSL protocol to TLS 1.2.
|
Signature algorithm |
The signature algorithm must be one of the following algorithms:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
Configuration examples
The following examples describe how to configure the attributes that meet the requirements
of ATS and encryption suites for different types of web servers.
Notice In the following examples, only the attributes that meet the requirements of ATS are
included. In actual case, you must configure the attributes and encryption suites
based on your server conditions.
Part of the NGINX configuration file
The ssl_ciphers and ssl_protocols attributes in the NGINX configuration file meet
the requirements of ATS.
server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}
Part of the Tomcat configuration file
The SSLProtocol and SSLCipherSuite attributes in the Tomcat configuration file meet
the requirements of ATS.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLProtocol="TLSv1.1+TLSv1.2+ TLSv1.3"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />
For more information about how to configure IIS web servers, see Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength. You can also use a visualized plug-in to configure IIS web servers. For more information,
see IIS Crypto.
ATS tool
You can run the nscurl --ats-diagnostics --verbose URL
command by using a system tool on macOS to check whether your certificate meets the
requirements of ATS.