TLS 1.2 - 1st Jan 2017 deadline

The way i took the presentation is that allow arbitrary loads would no longer be sufficiant. They did say you can use the domain filter to allow certain websites with a reason tied to it, but to use the whole "complete off" switch would be an issue. I could be wrong, but thats how i took it.

if that is the case, it would be great! It would be reasonable as many apps that link to media streaming servers will take time to get onto TLS/HTTPS compliance.

If anyone from Apple could confirm this behaviour, it would help us make the decision.

Wait - I thought that come January 2017 for your own servers you:

1. Cannot make TLS v1.x < 1.2 exceptions
2. Cannot make Perfect Forward Secrecy set to NO
3. Cannot have any certificate (except for the primary root certificate) in the certificate chain use a signature algorithm < SHA-256
4. Cannor have insecure HTTP loads

Can someone assign a yes or no to this list's items?

Thanks,

Neal

in WWDC session 706, the speaker states

“So, for all of these Exceptions that actually turn off App Transport Security, or its key properties like using TLS 1.2, you'll need to explain why you need to use this Exception in the first place.”

Looks like apps can still connet to < TLS1.2 endpoints, if we can explain the reason to Apple. How would we do this?

Can someone pls reply to this as that will help us plan the backend upgrades accordingly?

No one with the know-how is replying to your question. I'd like an answer as well.