[iOS9] App Transport Security 대응방법, ATS 안전한 연결 조건

ATS 의 안전한 연결 조건

iOS 9 에서부터는 기본적으로  ATS 가 적용되어 안전한 https 연결만을 지원하고 있다.

안전한 https 연결 조건은 아래와 같다.

• The server certificate must meet at least one of the following trust requirements:
  Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
  Issued by a trusted root CA and installed by the user or a system administrator

• The negotiated Transport Layer Security version must be TLS 1.2

• The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

• The leaf server certificate must be signed with one of the following types of keys:
  Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
  Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
  In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (that is, SHA-256 or greater).

기본적으로는 위와 같지만 이를 우회할 수 있는 방법도 존재하는데,

이는 plist 의 App Transport Security Settings 를 수정함으로써 가능하다.

참고 페이지 : https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html

http://bts.prod.sktelecom.com/browse/TCDP-131?focusedCommentId=275022&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-275022

1. ATS 의 column <Table2>

NSExceptionDomains <dictionary> : ATS 환경이 아닌 예외로 둘 도메인 정의

NSAllowsArbitraryLoads <boolean> : ATS 비활성화 flag

2. NSExceptionDomains 의 column <Table3>

NSIncludesSubdomains

NSExceptionAllowsInsecureHTTPLoads

NSExceptionRequiresForwardSecrecy

NSExceptionMinimumTLSVersion 

NSThirdPartyExceptionAllowsInsecureHTTPLoads

NSThirdPartyExceptionRequiresForwardSecrecy

NSThirdPartyExceptionMinimumTLSVersion

3. Using the nscurl tool to diagnose(진단) ATS Connection Issues

/usr/bin/nscurl --ats-diagnostics --verbose URL

위와 같은 명령어를 치면 조건에 따라 handshaking 의 PASS/FAIL 결과가 나온다.

handShaking 에 실패했을 때 LOG

2016-01-11 11:28:38.535 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)

2016-01-11 11:28:38.555 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)

2016-01-11 11:28:38.575 nscurl[1433:401974] CFNetwork SSLHandshake failed (-9824)

2016-01-11 11:28:38.575 nscurl[1433:401974] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Result : FAIL

Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={_kCFStreamErrorCodeKey=-9824, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSUnderlyingError=0x7fbab3f2de90 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9824, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://abs.com/, NSErrorFailingURLStringKey=https://abs.com/, _kCFStreamErrorDomainKey=3}