tencent cloud

Feedback

Apple ATS Server Configuration

Last updated: 2024-03-06 17:49:08
    Note:
    You need to configure cipher suites compliant with PFS specifications. The recommended configuration is: ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4
    You need to enable the TLS1.2 protocol on the server. The recommended configuration is: TLSv1 TLSv1.1 TLSv1.2

    Nginx certificate configuration

    Update the conf/nginx.conf file in the Nginx root directory as follows:
    server {
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    }

    Apache certificate configuration

    Update the conf/httpd.conf file in the Apache root directory as follows:
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    SSLProtocol TLSv1 TLSv1.1 TLSv1.2
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4
    </VirtualHost>
    </IfModule>

    Tomcat certificate configuration

    Update the %TOMCAT_HOME%\\conf\\server.xml file as follows:
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    scheme="https" secure="true"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />

    IIS certificate configuration

    Method 1

    Windows Server 2008 and earlier versions do not support the TLS1.2 protocol. Therefore, SSL tools are disabled on those versions. To address this issue, enable the TLS1.2 protocol to meet the ATS requirements.
    Taking Windows Server 2008 R2 as an example, there is no adjustment to protocols and cipher suites after the certificate is imported. The cipher suites will support ATS requirements after the certificate is imported but the TLS1.2 protocol required for ATS is not enabled. You can use ssltools (click to download) to enable the TLS1.2 protocol, as shown below:
    
    
    Select the 3 TLS protocols, and restart the system.
    If PFS is not supported, select ECDHE and DHE in Cipher Suites.

    Method 2

    1. Choose Start -> Run. Enter regedit.
    2. Find HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols, right-click it, and then choose New -> Item -> Create TLS 1.1, TLS 1.2.
    3. Right-click TLS 1.1 and TLS 1.2, and choose New -> Item -> Create Server, Client.
    4. Create the following items (4 in total, DWORD 32-bit value) in the new servers and clients.
    DisabledByDefault [Value = 0]
    Enabled [Value = 1]
    2
    
    
    3
    
    
    4
    
    
    5
    
    
    5. Restart the system.
    6. Adjust the cipher suites: choose Start -> Run, and enter gpedit.msc for the cipher suite adjustments after enabling the TLS1.2 protocol.
    Note:
    Adjustments can be made through the Group Policy Editor if PFS is not supported by the cipher suites.
    
    3
    
    
    7. Double-click SSL Cipher Suite Order and enter information, as shown in the following figure:
    4
    
    
    Select Enabled.
    Add the supported ECDHE cipher suites to the SSL cipher suites, separated by commas (,).
    Enter the cipher suite information as follows: a. Open a blank WordPad document. b. Copy the list of available suites on the right in the figure below and paste it into the document. c. Sort the suites in the correct order and delete any suites you do not want to use. d. Type a comma at the end of each suite name (except for the last one). Make sure no space is entered. e. Remove all the line breaks so that the cipher suite names are in a single, long line. f. Copy the cipher suite line to the clipboard and paste it into the edit box. You can enter up to 1,023 characters.
    8. After the cipher suite information is entered, the content in the window is updated, as shown in the following figure:
    5
    
    The following suites can be added to the cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 The following suite combination is recommended: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support