With iOS 9 and later, Apple has mandated minimum security settings to comply with their App Transport Security (ATS) standard. To enable this level of SSL security for applications proxies by Avi Load Balancer, use the following settings for SSL/ TLS Certificates and SSL/ TLS Profiles.

Certificates

The certificate must be issued by a Certificate Authority that is publicly trusted (included with the operating system), or the CA’s root cert has been installed in the client device.

  • RSA 2k or higher

  • ECC 256 or higher

The issuer must create the certificate with SHA-256 or greater.

SSL/ TLS Version

Only TLS 1.2 is supported.  Deactivate earlier versions of SSL/ TLS.

Cipher Support

All enabled ciphers must support PFS. Deactivate all but the following ciphers from the Cipher list view. If only an EC or RSA certificate is in use, you can enable the compatible ciphers. If both an EC and RSA certificate will be used (best practice), then leave all of the following ciphers enabled.

ECC Ciphers

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

RSA Ciphers

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA