TLS V 1.1和TLS V 1.2 iOS问题 [英] TLS V 1.1 and TLS V 1.2 iOS issue

问题描述

问题对:

1. 如果我的服务器已经在运行TLS1.2，是否还需要将NSAppTransportSecurity功能添加到info.plist中?如果是，为什么?并非所有使用iOS9或> iOS10.11版本的Apple设备都可以使用TLS1.2设置吗?

1. Do I still need to add NSAppTransportSecurity feature to my info.plist if my servers are already running TLS1.2? If yes, why? shouldn't all apple devices runniNG iOS9 or >iOS10.11 versions be okay with the TLS1.2 setting?

什么是前向保密?为什么我需要为特定域启用或禁用它?

What is forward secrecy? why do I need to enable or disable it for specific domains?

什么是密码服?

推荐答案

1. 仅当您的服务器至少不支持TLS 1.2时才需要Info.plist中的Min TLS版本.如果您的服务器是TLS 1.2，则无需在Info.plist中添加例外.但是，ATS要求不仅限于TLS版本(请参见 useyourloaf.com文章，特别是不仅仅是HTTPS"部分)

1. The Min TLS version in your Info.plist is only needed if your server does not support at least TLS 1.2. If your server is TLS 1.2, you won't need to add an exception to your Info.plist. However, the ATS requirements are much more than just the TLS version (see the useyourloaf.com article, specifically the "Not Just HTTPS" section)

转发保密性是服务器安全性的一项功能，该功能可确保如果密钥被泄露，捕获和存储的任何过去流量都将无法批量解密.某些服务器出于正当理由不支持它，因此Apple允许您在提交应用商店时无需理由就可以在ATS例外中添加例外.

Forward secrecy is a feature of your server security that ensures that if your key is compromised, any past traffic that was captured and stored wouldn't be able to be decrypted wholesale. Some servers don't support it for legitimate reasons, so Apple does allow you to add an exception in your ATS exceptions without requiring justification when you submit for the app store.

密码套件是身份验证，加密，消息身份验证代码(MAC)和用于协商安全设置的密钥交换算法的组合. (摘自维基百科).基本上，它是使服务器加密起作用的各个部分的组合.

A Cipher suite is a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings. (from Wikipedia). Basically it is a combination of the parts that make the server encryption work.

如果不确定与服务器的连接是否会遇到ATS问题，则可以在iOS 10设备上运行您的应用程序(我也将在iOS 9设备上运行该应用程序，因为两者之间存在差异一些情况).如果由于ATS而导致连接失败，则您将需要对服务器进行一些更改，或者向Info.plist添加例外.

If you're unsure if your connections to your server will have problems with ATS, you can simply run your app on an iOS 10 device (I would do an iOS 9 device as well, as there are differences between the two for some scenarios). If the connections fail due to ATS, you will either need to make some server changes, or add exceptions to your Info.plist.

或者您可以在Mac终端上运行以下命令:nscurl --ats-diagnostics <url>它将在服务器上运行全套ATS检查并报告任何故障.故障通常意味着您需要添加ATS异常或解决服务器上的故障.

Or you could run the following command on your Mac terminal: nscurl --ats-diagnostics <url> It will run a full suite of ATS checks on your server and report any failures. Failures will generally mean you need to add an ATS exception or address the failure on the server.

有关ATS故障排除和诊断的更多信息，请再次本文是巨大的资源.它讨论了我上面所说的一些事情，以及启用了CFNETWORK_DIAGNOSTICS日志记录的更多详细信息.

For more information about ATS troubleshooting and diagnostics, again this article is a great resource. It discusses some of the things I've said above, as well as enabling more details CFNETWORK_DIAGNOSTICS logging.

这篇关于TLS V 1.1和TLS V 1.2 iOS问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！