NSRequiresNIAPTLSPackageVersion
A string that indicates the version to use for the NIAP Functional Package for TLS.
Possible Values
noneFCP_v2.1recommended
Discussion
App Transport Security (ATS) allows you to further restrict default TLS client behavior in order to meet requirements outlined by the United States government’s National Information Assurance Partnership (NIAP) Functional Package for Transport Layer Security. This compliance mode is opt-in only and provides additional options for applications aimed at regulated environments.
The value of this key is a string, which can have the following values:
noneApply no additional requirements. This value results in the default ATS behavior.
FCP_v2.1Make your default client connections compliant with the Functional Package for Transport Layer Security (TLS) Version 2.1.
recommendedUse the recommended version of the NIAP functional package for the operating system version your app is running on. Currently, this is equivalent to
FCP_v2.1.
The FCP_v2.1 value adds the following requirements on top of standard ATS:
The client offers the same TLS 1.3 ciphersuites as the default ATS policy. For TLS 1.2, the client offers only perfect forward secret (using ECDHE), AES-GCM ciphersuites with a SHA-256 or greater pseudorandom function (PRF).
The client no longer offers the signature algorithm
rsa_pkcs15_sha1, as specified in FCS_TLSC_EXT.1.4.The server’s certificate signature must use a signature algorithm offered in the client hello, as defined in RFC 8446 Section 4.2.3 and RFC 5246 Section 7.4.2.
TLS 1.2 connections must negotiate the Extended Master Secret extension, as specified in RFC 7627.
Use this key to opt in to the compliance behavior globally, as shown in the following example.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSRequiresNIAPTLSPackageVersion</key>
<string>FCP_v2.1</string>
</dict>You can use the NSExceptionRequiresNIAPTLSPackageVersion key within the NSExceptionDomains dictionary to carve out behavior exceptions for specific domains.