ATS and Windows Server / IIS

Hello,


Is there a document about configuration of Windows Server (at least 2008R2 , 2012 and 2012R2) yo be compatible with ATS

Up vote post of gvollant Down vote post of gvollant
2.0k views
Posted by
gvollant
Reply
Add a Comment

Replies

My first message was too small.


It can be useful to have more information on configuration of well known webserver (Windows Server IIS, but same thing to other server) to enable compatibility with ATS.


Also, it can be useful to have a web utility to check a server configuration (giving somes informations about failure)


And, what older OS and software (from Apple and other worlkd) can be broken by this configuration modification?


Somes server without personnal info will prefer keep compatibility with old client than ATS compatibility, but we must known more ...


regards

Gilles Vollant


note : ssllabs.com website contain a test suite

Posted by
gvollant
Up vote reply of gvollant Down vote reply of gvollant
Add a Comment

Is there a document about configuration of Windows Server (at least 2008R2, 2012 and 2012R2) [to] be compatible with ATS

You should look to your server vendor for this.

Also, it can be useful to have a web utility to check a server configuration (giving somes informations about failure)

On OS X you can use nscurl to investigate ATS issues.

For other platforms, again, you’ll need to look to your platform vendor.

And, what older OS and software (from Apple and other worlkd) can be broken by this configuration modification?

I believe that a correctly configured server can work with ATS and all older versions of iOS (and all recent versions of OS X, say 10.5 and later). Breaking down the requirements:

  • TLS 1.2 has to be offered to support iOS 9, but the server is allowed to support older versions for older clients.

  • The server must support a forward secrecy cypher suite when the client requests it but, again, it’s allowed to support less secure suites for older clients.

  • You have to go a long way back before you find Apple code that doesn’t support certificates using 2048-bit RSA with SHA-2/256 (perhaps to traditional Mac OS).

With regards other platforms, that is, again, a question for your platform vendor. AFAIK there’s nothing about ATS that definitely breaks older clients. Support for 2048-bit RSA with SHA-2/256 is commonplace and clients are expected to handle TLS version and cypher suite negotiation. However, my experience is that a lot of TLS implementations don’t deal with this well, so I recommend that you explicitly test with the clients you care about and follow up with the platform vendor if things don’t work.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment