fighting for truth, justice, and a kick-butt lotus notes experience.

Accessing Traveler or Domino HTTP from iOS 9 devices

 23 Juli 2015 15:31:15
Starting with iOS 9 Apple will introduce App Transport Security (ATS).

App Transport Security is a feature that requires secure connections between an app and web services. The default connection requirements conform to the best practices for secure connections. Apps can override the default behavior and turn off App Transport Security.
App Transport Security is available on iOS 9.0 or later, and on OS X 10.11 and later.

Default Behavior
All secure http (https) connection follow the App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. The requirements are:

               TLS requires at least version 1.2.
               Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
               The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
               Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA


https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
 
As you can see all supported default ciphers are using ECDHE, which is not supported by Domino at the moment.

If you are an app developer you can switch on additional ciphers, which are supported by Domino. But you as a developer must do that, in your info.plist of your app or must hope that a third party app developer will do that for you.

As far as we can test it with iOS 9 Beta 3, Apple will do a fallback to this additional ciphers and even down to TLS 1.0 for Traveler using the integrated mail app and for Safari.

So Traveler and your XPages web applications are working. But you need TLS and SHA256, which is only supported together, when you are running 9.0.1 with the latest fixpacks.

We don't know at the moment, if Apple will change this fallback for integrated apps in the final release, but at the moment it works!  

To be safe for the future IBM must support ECDHE ciphers!

The IBM Traveler, IBM Mobile Connect and the IBM Domino Security team is informed by Daniel Nashed and by us.

We all should wait for their answers before we are switching to panic mode.

But all admins out their, which are still running Domino 8.5.3 - you must update to 9.0.1 FP4 or add a reverse proxy in front of your Traveler server before iOS 9 arrives!

ACT NOW!

To get more details, check out:

https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
https://blog.winkelmeyer.com/2015/07/update-your-ssl-on-servers-to-support-tls-1-2-before-ios-9-and-os-x-10-11/
http://blog.nashcom.de/nashcomblog.nsf/dx/apple-app-transport-security.htm?opendocument&comments#anc1

Update 23.07.2015:

I just received an answer from the IBM Mobile Connect Dev Team: IBM Mobile Connect in the latest version already support TLS 1.2 and ECDHE ciphers. So IBM Mobile Connect is well prepared for iOS 9!

 

Kommentare
noch keine Kommentare vorhanden
  •  
  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu
  • Über diesen Blog
  • Datenschutz
  • Impressum
  • Kontakt

  • If you like the Blog...Donate
  • Buy me a coffeeBuy me a coffee


Archive