摘要

為解決在iOS9下基于ATS對HTTP的請求的說明及適配進行說明

2016.7.1根據蘋果官方文檔的修改做出文檔的調整，并加入對診斷ATS的命令行工具nscurl進行說明。

2015.8.19解決在iOS9下基于ATS對HTTP的請求的說明及適配進行說明

iOS9中新增App Transport Security（簡稱ATS）特性, 主要使到原來請求的時候用到的HTTP，都轉向TLS1.2協議進行傳輸。這也意味著所有的HTTP協議都強制使用了HTTPS協議進行傳輸。原文如下：

App Transport Security

App Transport Security

(ATS) enforces best practices in the secure connections between an app

and its back end. ATS prevents accidental disclosure, provides secure

default behavior, and is easy to adopt; it is also on by default in iOS 9

and OS X v10.11. You should adopt ATS as soon as possible, regardless

of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app'sInfo.plistfile

如果我們在iOS9下直接進行HTTP請求是會收到如下錯誤提示：

App Transport Security has blocked a cleartext HTTP (http://)

resource load since it is insecure. Temporary exceptions can be

configured via your app's Info.plist file.

系統會告訴我們不能直接使用HTTP進行請求，需要在Info.plist新增一段用于控制ATS的配置：

NSAppTransportSecurityNSAllowsArbitraryLoads

也即：

這段配置中的NSAppTransportSecurity是ATS配置的根節點，配置了節點表示告訴系統要走自定義的ATS設置。而NSAllowsAritraryLoads節點則是控制是否禁用ATS特性，設置YES就是禁用ATS功能。

ATS

是在iOS 9.0?和 OS X v10.11版本中增加的特性，使用iOS 9.0或者OS X

v10.11的SDK版本（或更新的SDK）進行編譯應用時會默認啟動ATS。則需要對ATS進行配置。如果使用iOS 9.0或者OS X

v10.11之前的SDK版本編譯的應用默認是禁止ATS的，因此不會影響應用的網絡連接方面的功能（即使在iOS 9.0的機子上跑也是不影響的）。

直到前面的配置可以完美的適配iOS9了，但是如果你想遵循蘋果給出的標準，讓自己的數據更加安全，那么需要繼續往下看。

其實ATS并不單單針對HTTP進行了限制，對HTTPS也有一定的要求，以百度的地址為例（注：舉該栗子的時候百度是還沒符合ATS的要求的，現在百度已經支持ATS），如果在App中請求https://www.baidu.com的話，是會收到如下的錯誤信息：

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

查閱了一下官方資料（https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33），發現HTTPS的請求需要滿足下面的要求：

Requirements for Connecting Using ATS

With ATS fully enabled, your app’s HTTP connections must use HTTPS and must satisfy the following security requirements:

The server certificate must meet at least one of the following trust requirements:

Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system

Issued by a trusted root CA and installed by the user or a system administrator

The negotiated Transport Layer Security version must be TLS 1.2

The negotiated TLS connection cipher suite must support forward secrecy (FS) and be one of the following:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The leaf server certificate must be signed with one of the following types of keys:

Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits

Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits

In addition, the leaf server certificate hashing

algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length

of at least 256 (that is, SHA-256 or greater).

根據原文描述，首先頒發給服務器證書的證書機構（CA）的根證書必須是內置于操作系統（哪些根證書被信任可以查看https://support.apple.com/zh-cn/HT205205，或者在你的機子的設置－通用－關于本機最下面的“進一步了解被信任的證書”中查看）或者受用戶或者系統管理員信任并安裝到操作系統上的。而且必須要基于TLS 1.2版本協議。再來就是連接的加密方式要提供Forward Secrecy(FS正向保密，感興趣的筒子可以看看這個https://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html)，文檔中羅列出了支持的加密算法（上面的原文中有說明，我把它獨立抽出來放到下面表格中查看）。最后就是證書至少要使用一個SHA256的指紋與任一個2048位或者更高位的RSA密鑰，或者是256位或者更高位的ECC密鑰。如果不符合其中一項，請求將被中斷并返回nil。

支持Forward Secrecy的加密方式

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

我們再來看剛才的百度的地址，用瀏覽器打開百度的地址，然后點擊鏈接前面的鎖圖標，如圖：

可以看到它使用了TLS 1.2版本協議，符合上面所說的TLS版本的約定。

然后在點擊證書信息，查看頒發給它證書的CA的根證書，如圖：

可以看到它的根證書名稱是：VeriSign Class 3 Public Primary Certification Authority - G5,根據這個名字在之前提供URL中去尋找iOS9下受信任的根證書是否有存在該證書，結果是可以找到對應的證書信息的，如下圖所示：

最后回到之前的連接信息面板可以看到使用AES_128_GCM進行加密，并使用ECDHE_RSA作為密鑰交換機制的，我們可以在Forward Secrecy的列表中找到對應兩條記錄：

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

但是還不能確定百度是否提供Forward Secrecy，我們再點開證書信息，查看“簽發者名稱”和“公共密鑰信息”兩項，如圖：

看到簽名算法中寫著“帶RSA加密的SHA-1”?？梢耘卸ㄔ摷用芩惴ú话谏厦鎯身椫小Ｒ虼税俣仁且粋€不符合ATS的要求，所以返回了錯誤。這時候，如果要解決這樣的問題，同樣需要對ATS進行配置。配置如下：

NSAppTransportSecurityNSExceptionDomainsbaidu.comNSIncludesSubdomainsNSExceptionRequiresForwardSecrecyNSExceptionAllowsInsecureHTTPLoads

其中NSIncludesSubdomains設置為YES表示百度的子級域名都使用相同設置。

NSExceptionRequiresForwardSecrecy為NO由于百度不支持ForwardSecrecy，因此屏蔽掉改功能。最后

NSExceptionAllowInsecureHTTPLoads設置為YES，則表示允許訪問沒有證書或者是自簽名、過期、主機名不匹配的證書引發

的錯誤的域名（這里檢查過百度的證書貌似沒有什么問題，但是還是需要設置此項才允許訪問）。

－－－－－－－－－－－－－－－－－－－－－－－－－－－－

在最近的測試中由于百度已經支持ATS（昨天@Jolie_Yang給我留言才知道的^_^），而我在不配置任何ATS設置的時候使用

NSURLConnection去測試https://www.baidu.com返回的結果還是報錯的。后來，我用NSURLSession去測試該網

址發現是可以正常訪問。

蘋果官方是推薦使用NSURLSession去做HTTP請求的，雖然說

NSURLConnection同樣支持ATS方面的特性，但從我上面的測試來看估計它們兩者的默認行為上有些不一樣，所以如果還在使用

NSURLConnection的同學應該盡早切換到NSURLSession上，避免產生一些不必要錯誤。

最后，說到如何診斷一個URL是否支持ATS，這里給大家介紹一些nscurl這個命令行工具，這個工具是OS X v10.11上新增的，主要用于診斷ATS帶來的連接問題，利用它可以在命令行中直接檢測一個URL地址是否支持ATS。其用法如下：

/usr/bin/nscurl--ats-diagnostics [--verbose] URL

URL － 表示用來診斷的網址

verbose － 該選項將會為每次的連接包含更多信息，包括使用到Info.plist中的哪些key和對應的值也會列出來。

還是以百度為例，對其https://baidu.com進行診斷，命令如下：

nscurl --ats-diagnosticshttps://baidu.com

其輸出信息如下：

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://baidu.com.Atestwill"PASS"ifURLSession:task:didCompleteWithError: returns a nil error.Use'--verbose'to view the ATS dictionaries used and to display the error receivedinURLSession:task:didCompleteWithError:.================================================================================Default ATS Secure Connection---ATS Default Connection2016-07-19 17:51:43.156 nscurl[7936:828662] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.Result : FAIL---================================================================================Allowing Arbitrary Loads---Allow All LoadsResult : PASS---================================================================================Configuring TLS exceptions for baidu.com---TLSv1.2Result : FAIL------TLSv1.1Result : FAIL------TLSv1.0Result : FAIL---================================================================================Configuring PFS exceptions for baidu.com---Disabling Perfect Forward SecrecyResult : FAIL---================================================================================Configuring PFS exceptions and allowing insecure HTTP for baidu.com---Disabling Perfect Forward Secrecy and Allowing Insecure HTTPResult : FAIL---================================================================================Configuring TLS exceptions with PFS disabled for baidu.com---TLSv1.2 with PFS disabledResult : FAIL------TLSv1.1 with PFS disabledResult : FAIL------TLSv1.0 with PFS disabledResult : FAIL---================================================================================Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for baidu.com---TLSv1.2 with PFS disabled and insecure HTTP allowedResult : FAIL------TLSv1.1 with PFS disabled and insecure HTTP allowedResult : FAIL------TLSv1.0 with PFS disabled and insecure HTTP allowedResult : FAIL---================================================================================

可以看到除了Allowing Arbitrary

Loads一項的Result是Pass，其他的Result都是FAIL，那這證明了baidu.com還沒有支持ATS，但是從它的證書來看是已經支

持的了，為了了解更詳細的信息，我們把verbose選項加入再進行診斷一下，來了解更多的信息，命令如下：

nscurl --ats-diagnostics --verbosehttps://baidu.com

其信息輸出如下：

vimfungdeMac-mini:~ vimfung$ nscurl --ats-diagnostics --verbose https://baidu.comStarting ATS DiagnosticsConfiguring ATS Info.plist keys and displaying the result of HTTPS loads to https://baidu.com.Atestwill"PASS"ifURLSession:task:didCompleteWithError: returns anilerror.================================================================================Default ATS Secure Connection---ATS Default ConnectionATS Dictionary:{}2016-07-1917:57:24.887nscurl[7971:833843] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac41703970{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================Allowing Arbitrary Loads---Allow All LoadsATS Dictionary:{NSAllowsArbitraryLoads=true;}Result : PASS---================================================================================Configuring TLS exceptionsforbaidu.com---TLSv1.2ATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.2";? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac4164cc20{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.1ATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.1";? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac4143dfc0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.0ATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.0";? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac4143e480{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================Configuring PFS exceptionsforbaidu.com---Disabling Perfect Forward SecrecyATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac414358c0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================Configuring PFS exceptions and allowing insecure HTTPforbaidu.com---Disabling Perfect Forward Secrecy and Allowing Insecure HTTPATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionAllowsInsecureHTTPLoads=true;NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac416589a0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================Configuring TLS exceptions with PFS disabledforbaidu.com---TLSv1.2with PFS disabledATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.2";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac41633bf0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.1with PFS disabledATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.1";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac414625e0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.0with PFS disabledATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionMinimumTLSVersion="TLSv1.0";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac41464e40{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================Configuring TLS exceptions with PFS disabled and insecure HTTP allowedforbaidu.com---TLSv1.2with PFS disabled and insecure HTTP allowedATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionAllowsInsecureHTTPLoads=true;NSExceptionMinimumTLSVersion="TLSv1.2";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac41468d40{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.1with PFS disabled and insecure HTTP allowedATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionAllowsInsecureHTTPLoads=true;NSExceptionMinimumTLSVersion="TLSv1.1";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac4146a6e0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}------TLSv1.0with PFS disabled and insecure HTTP allowedATS Dictionary:{NSExceptionDomains=? ? {"baidu.com"=? ? ? ? {NSExceptionAllowsInsecureHTTPLoads=true;NSExceptionMinimumTLSVersion="TLSv1.0";NSExceptionRequiresForwardSecrecy=false;? ? ? ? };? ? };}Result : FAILError : Error Domain=NSURLErrorDomainCode=-1022"The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."UserInfo={NSUnderlyingError=0x7fac416932b0{Error Domain=kCFErrorDomainCFNetwork Code=-1022"(null)"},NSErrorFailingURLStringKey=http://www.baidu.com/, NSErrorFailingURLKey=http://www.baidu.com/, NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.}---================================================================================

可以看到了更多的信息，包括了Info.plist中的配置項和請求的錯誤描述信息。其中發現當請求https://baidu.com的時候，它

會報NSErrorFailingURLKey＝http://www.baidu.com。所以，我估計是百度對這個網址進行了跳轉，而跳轉到的地址就

是http://www.baidu.com，所以不可靠的HTTP連接都被ATS被攔截了，才會出現Fail的結果。

因此，我嘗試換了https://www.baidu.com再次進行測試，其輸入結果如下：

vimfungdeMac-mini:~ vimfung$ nscurl --ats-diagnostics --verbose https://www.baidu.comStarting ATS DiagnosticsConfiguring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.baidu.com.Atestwill"PASS"ifURLSession:task:didCompleteWithError: returns a nil error.================================================================================Default ATS Secure Connection---ATS Default ConnectionATS Dictionary:{}Result : PASS---================================================================================Allowing Arbitrary Loads---Allow All LoadsATS Dictionary:{? ? NSAllowsArbitraryLoads =true;}Result : PASS---================================================================================Configuring TLS exceptionsforwww.baidu.com---TLSv1.2ATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.2";? ? ? ? };? ? };}Result : PASS------TLSv1.1ATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.1";? ? ? ? };? ? };}Result : PASS------TLSv1.0ATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.0";? ? ? ? };? ? };}Result : PASS---================================================================================Configuring PFS exceptionsforwww.baidu.com---Disabling Perfect Forward SecrecyATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS---================================================================================Configuring PFS exceptions and allowing insecure HTTPforwww.baidu.com---Disabling Perfect Forward Secrecy and Allowing Insecure HTTPATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionAllowsInsecureHTTPLoads =true;? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS---================================================================================Configuring TLS exceptions with PFS disabledforwww.baidu.com---TLSv1.2with PFS disabledATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.2";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS------TLSv1.1with PFS disabledATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.1";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS------TLSv1.0with PFS disabledATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.0";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS---================================================================================Configuring TLS exceptions with PFS disabled and insecure HTTP allowedforwww.baidu.com---TLSv1.2with PFS disabled and insecure HTTP allowedATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionAllowsInsecureHTTPLoads =true;? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.2";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS------TLSv1.1with PFS disabled and insecure HTTP allowedATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionAllowsInsecureHTTPLoads =true;? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.1";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS------TLSv1.0with PFS disabled and insecure HTTP allowedATS Dictionary:{? ? NSExceptionDomains =? ? {"www.baidu.com"=? ? ? ? {? ? ? ? ? ? NSExceptionAllowsInsecureHTTPLoads =true;? ? ? ? ? ? NSExceptionMinimumTLSVersion ="TLSv1.0";? ? ? ? ? ? NSExceptionRequiresForwardSecrecy =false;? ? ? ? };? ? };}Result : PASS---================================================================================

輸出的結果都是Pass的了，那證明百度還是支持ATS的。好了，這是我最新對ATS的研究，希望對大家有用。


轉自：http://my.oschina.net/vimfung/blog/494687