Effective from January 1, 2017, Apple requires that all iOS applications use ATS (App Transport  Security). HTTPS must be used for communications within iOS applications,  and all applications must comply with new requirements in iOS 9.

Note
The HTTPS configuration in Alibaba Cloud CDN and SLB is fully ATS-compliant.

Apple ATS imposes the following requirements on the HTTPS protocol:

CA

We recommend that you use OV and higher-level certificates from Entrust.

Hash algorithm and key length of certificate

  • Hash algorithm: SHA256 or stronger hash algorithms are recommended. SHA256 is ATS-compliant.
  • Length of private key
    • If the CSR file is generated by the system, then the private key uses a 2,048-bit RSA encryption algorithm, which is fully compliant with ATS.
    • If you create the CSR file by yourself, use a 2,048-bit or higher RSA encryption algorithm.

Transport protocol

The transport protocol must fulfill TLS v1.2. Generally, the following requirements must be met to enable TLS v1.2 on a web server:

  • For an OpenSSL-based web server, OpenSSL 1.0 or later is needed (OpenSSL 1.0.1 or later is recommended).
  • For a Java-based web server, JDK 1.7 or later is needed.
  • For other web servers, except for IIS7.5 and Weblogic 10.3.6, TLS v1.2 is enabled by default when the needed server version is used.

Web server configurations that meet TLSv1.2 requirements are as follows:

  • For Apache and Nginx web servers, OpenSSL 1.0 or later is needed to support TLS v1.2.
  • For Tomcat 7 or later web servers, JDK 7.0 or later is needed to support TLS v1.2.
  • For IIS 7.5 web servers, TLS v1.2 is disabled by default. You have to modify the registry to enable it.

    Download and import the ats.reg  registry script, and then restart (or log off from) the server for TLS v1.2 to take effect.

  • For IBM Domino Server 9.0.1 FP3 web servers, TLS v1.2 is supported. To be ATS-compliant, we recommend that you use IBM Domino Server 9.0.1 FP5.   For more information, see:
  • For IBM HTTP Server 8.0 or later, TLS v1.2 is supported. To be ATS-compliant, we recommend that you use IBM HTTP Server 8.5
  • For Weblogic 10.3.6 or later web servers, Java 7.0 or later is needed to support TLS v1.2.
    Note
      Weblogic 10.3.6 contains many SHA256 compatibility bugs. Therefore, we recommend that you use Weblogic 12 or later. Alternatively, you can configure Apache or Nginx on the front end as an HTTPS proxy or an SSL front-end load for Weblogic 10.3.6.
  • For Websphere 7.0.0.23 or later, Websphere 8.0.0.3 or later, and Websphere 8.5.0.0 or later versions, TLS v1.2 is supported. For information about how to configure other Websphere server versions to support TLS v1.2, see Configure websphere application server SSL protocol to TLSv1.2.

Signature algorithm

The signature algorithm must meet the following requirements:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Configuration samples

The following samples explain how to configure the ATS protocol and cipher suite for different web servers:
Note
The samples only list attributes related to the ATS protocol. Do not copy the following configurations to your actual environment.

Nginx configuration sample

In the Nginx configuration file, the ssl_ciphers and ssl_protocols attributes are related to ATS.

server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

Tomcat configuration sample

In the Tomcat configuration file, the SSLProtocol and SSLCipherSuite attributes are related to ATS.

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4" />

For information about how to configure IIS web servers, see Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength. Alternatively, you can use the IIS Crypto GUI configuration plugin to perform the configuration.

ATS testing tool

You can perform ATS testing with the ATS testing tool delivered with Mac OS. Run the following command to do the ATS testing for your domain: nscurl --ats-diagnostics --verbose website URL