From January 1, 2017, Apple requires that all iOS applications use App Transport Security (ATS). This way, iOS applications can communicate over HTTPS, which improves security.
Alibaba Cloud CDN and Server Load Balancer (SLB) use the HTTPS configurations that meet the requirements of ATS.
Certificate configuration requirements
The following table lists the certificate requirements that must be met to support ATS:
Item | Description |
Certificate authority (CA) | We recommend that you use organization validated (OV) or extended validation (EV) certificates that are issued from GlobalSign. |
Hash algorithm and key length |
|
Transmission protocol | Make sure that Transport Layer Security (TLS) 1.2 is configured on your web server because you need to enable TLS 1.2 on your web server to support ATS.
Before you can enable TLS 1.2 on your web server, make sure that the configurations of your web server meet the following requirements:
|
Signature algorithm | The signature algorithm must be one of the following algorithms:
|
Configuration examples
The following examples describe how to configure the attributes that meet the requirements of ATS and encryption suites for different types of web servers.
In the following examples, only the attributes that meet the requirements of ATS are included. In actual case, you must configure the attributes and encryption suites based on your server conditions.
Part of the NGINX configuration file
The ssl_ciphers and ssl_protocols attributes in the NGINX configuration file meet the requirements of ATS.
server {
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}
Part of the Tomcat configuration file
The SSLProtocol and SSLCipherSuite attributes in the Tomcat configuration file meet the requirements of ATS.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLProtocol="TLSv1.1+TLSv1.2+ TLSv1.3"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />
For more information about how to configure IIS web servers, see Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength. You can also use a visualized plug-in to configure IIS web servers. For more information, see IIS Crypto.
ATS tool
You can run the nscurl --ats-diagnostics --verbose URL
command by using a system tool on macOS to check whether your certificate meets the requirements of ATS.