fighting for truth, justice, and a kick-butt lotus notes experience.

Accessing Traveler or Domino HTTP from iOS 9 devices

 23 Juli 2015 15:31:15
Starting with iOS 9 Apple will introduce App Transport Security (ATS).

App Transport Security is a feature that requires secure connections between an app and web services. The default connection requirements conform to the best practices for secure connections. Apps can override the default behavior and turn off App Transport Security.
App Transport Security is available on iOS 9.0 or later, and on OS X 10.11 and later.

Default Behavior
All secure http (https) connection follow the App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. The requirements are:

               TLS requires at least version 1.2.
               Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
               The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
               Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

As you can see all supported default ciphers are using ECDHE, which is not supported by Domino at the moment.

If you are an app developer you can switch on additional ciphers, which are supported by Domino. But you as a developer must do that, in your info.plist of your app or must hope that a third party app developer will do that for you.

As far as we can test it with iOS 9 Beta 3, Apple will do a fallback to this additional ciphers and even down to TLS 1.0 for Traveler using the integrated mail app and for Safari.

So Traveler and your XPages web applications are working. But you need TLS and SHA256, which is only supported together, when you are running 9.0.1 with the latest fixpacks.

We don't know at the moment, if Apple will change this fallback for integrated apps in the final release, but at the moment it works!  

To be safe for the future IBM must support ECDHE ciphers!

The IBM Traveler, IBM Mobile Connect and the IBM Domino Security team is informed by Daniel Nashed and by us.

We all should wait for their answers before we are switching to panic mode.

But all admins out their, which are still running Domino 8.5.3 - you must update to 9.0.1 FP4 or add a reverse proxy in front of your Traveler server before iOS 9 arrives!


To get more details, check out:

Update 23.07.2015:

I just received an answer from the IBM Mobile Connect Dev Team: IBM Mobile Connect in the latest version already support TLS 1.2 and ECDHE ciphers. So IBM Mobile Connect is well prepared for iOS 9!