티스토리 뷰


ATS 의 안전한 연결 조건

iOS 9 에서부터는 기본적으로  ATS 가 적용되어 안전한 https 연결만을 지원하고 있다.
안전한 https 연결 조건은 아래와 같다.

  • The server certificate must meet at least one of the following trust requirements:
    Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
    Issued by a trusted root CA and installed by the user or a system administrator
  • The negotiated Transport Layer Security version must be TLS 1.2
  • The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • The leaf server certificate must be signed with one of the following types of keys:
    Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
    Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
    In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).

기본적으로는 위와 같지만 이를 우회할 수 있는 방법도 존재하는데,
이는 plist 의 App Transport Security Settings 를 수정함으로써 가능하다.




1. ATS 의 column <Table2>
NSExceptionDomains <dictionary> : ATS 환경이 아닌 예외로 둘 도메인 정의
NSAllowsArbitraryLoads <boolean> : ATS 비활성화 flag

2. NSExceptionDomains 의 column <Table3>
NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion 
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionRequiresForwardSecrecy
NSThirdPartyExceptionMinimumTLSVersion


3. Using the nscurl tool to diagnose(진단) ATS Connection Issues

/usr/bin/nscurl --ats-diagnostics --verbose URL

위와 같은 명령어를 치면 조건에 따라 handshaking 의 PASS/FAIL 결과가 나온다.

handShaking 에 실패했을 때 LOG
2016-01-11 11:28:38.535 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)
2016-01-11 11:28:38.555 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)
2016-01-11 11:28:38.575 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)
2016-01-11 11:28:38.575 nscurl[1433:401974] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)
Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbab3f2de90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://abs.com/, NSErrorFailingURLStringKey=https://abs.com/, _kCFStreamErrorDomainKey=3}


공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
«   2024/12   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
글 보관함