7 Replies
      Latest reply: Dec 20, 2016 1:32 AM by eskimo RSS
      vickyzhang209 Level 1 Level 1 (0 points)

        Hi

           For App Transport Security REQUIRED January 2017, what's the  impact on apps use 3rd party library to do HTTPS communication:

        1. Will Apple force the app to use only its high-level APIs to do HTTPS communication and will deny the apps using 3rd party library such as openssl that can support X509/TSL1.2/AES-128/AES256 etc including following requirements?

        Requirements for Connecting Using ATS

        With App Transport Security (ATS) fully enabled, the system requires that your app’s HTTP connections use HTTPS and that they satisfy the following security requirements:

        • The X.509 digital server certificate must meet at least one of the following trust requirements:
          • Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
          • Issued by a trusted root CA and installed by the user or a system administrator
        • The negotiated Transport Layer Security (TLS) version must be TLS 1.2. Attempts to connect without TLS/SSL protection, or with an older version of TLS/SSL, are denied by default.
        • The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • The leaf server certificate must be signed with one of the following types of keys:
          • Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
          • Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
        • In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).

        2. If Apple can accept the app use 3rd party library, does the app use 3rd party library also not allowed to disable ATS in Info.plist?

        Thanks