Daniel Nashed 21 November 2015 09:34:21I should have blogged about this earlier. It was in my 2013 IBM Connected presentation but beside the TN and my presentation there is not much information.
If you are using Domino clustering on Win2008 or higher you should really disable the port Stealth mode!
This week I ran into a customer crash situation with repeated crashs which took a while to fix.
The failover on their Win2012 R2 servers was painful slow.
In Win2008 Microsoft introduced a feature called the Port Stealth mode.
This new "security feature" is enabled by default and is independent from the Windows Firewall.
If Domino does not listen any more for NRPC port 1352 Windows will discard all TCP IP packets for new and also existing connections.
That means the Notes client still thinks that the server is there and tries again to send TCP packages until the TCP timeout is reached.
The client is hanging for 30 up to 60 seconds until the failover occurs because Windows does not reject the packages from the client.
Once you disabled the Stealth mode via registry values, the client failover is again almost immediate.
You should also enable silent cluster failover in the desktop policy to avoid any prompts and the failover is almost seamless in most of the cases.
And in current Domino releases the client will also fail back to the home-mail-server later on.
To disable the port Stealth mode you have to set the registry values mentioned in the technote and we had to restart Windows to ensure the settings have effect.
IBM Technote --> https://www.ibm.com/support/docview.wss?uid=swg21498755
The IBM TN is referencing the following Microsoft Technote --> http://msdn.microsoft.com/en-us/library/ff720058%28v=prot.10%29.aspx
Daniel Nashed 18 November 2015 17:32:57Last call! In case you did not know yet.
There is a new type of event organized by DNUG next Tuesday.
I am very interested to see how the feedback to this new event type is.
The event is free for DNUG members and in case you are not a member there is a small fee.
Also the way to get enroll is different. The DNUG board to make it easier and tries different ways to organise the event.
I am looking forward to the event and I hope to see many of you next week!
The sessions are all in German but since my blog is English I am still writing this blog entry in English.
See the agenda below and there are more details in the event document.
|Zeit ||Thema ||Speaker |
|9:00 – 9:15 Uhr ||Begrüßung || |
|9:15 – 10:15 Uhr ||Client-Strategie: Welcher Client in welcher Umgebung ||Christian Henseler |
|10:30 – 11:15 Uhr ||Client-Strategie: IMSMO – Outlook 2013 als Frontend für Domino |
|Manfred Lenz (IBM) |
|11:30 – 12:30 Uhr ||Client-Strategie: Calendaring – Koexistenzen, Interoperabilitäten und Troubleshooting ||Anett Hammerschmidt (AHT Consulting)|
Manfred Lenz (IBM)
|12:30 – 13:30 Uhr ||Mittagspause || |
|13:30 – 14:15 Uhr ||Client-Server-Lizenzen: Endlich Durchblick bei IBM Lizenzen für IBM Notes Domino, Connections und Sametime ||Michael Deery|
|14:30 – 15:30 Uhr ||Server-Security: Domino Security – Best Practices ||Daniel Nashed (Nash!Com) |
|15:30 – 16:00 Uhr ||Kaffeepause || |
|16:00 – 17:00 Uhr ||Client-Server-Ausblick: IBM Verse und ein Ausblick auf die Dinge die bei IBM noch in der Pipeline sind ||Olaf Börner (BCC Unternehmensberatung GmbH) |
|17:00 – 17:15 Uhr ||Ende || |
Die Veranstaltung ist für DNUG Mitglieder kostenlos. Für Nicht-Mitglieder wird ein Unkostenbeitrag von € 90,- netto erhoben.
Daniel Nashed 7 October 2015 23:36:54 A new Traveler Version has been released to day. There are a couple of important fixes and you should consider updating soon. Below you find a fix list. There is also a new Traveler command mainly for enterprise database management called DBMaint. Here is a link to the updated documentation section --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/IBMTravelerDatabaseMaintenance.html Because it is brand new I have to check how it works in detail and there is a planned Open Mic Session that will deal with this new functionality as well. Topic: What's New in IBM Traveler? Date: Wednesday, October 14, 2015 Time: 11:00 AM EDT (15:00 UTC/GMT, UTC-4 hours) for 60 minutes See details here --> http://www.ibm.com/support/docview.wss?uid=swg27046466 This update is important for stand-alone and HA configurations. My Traveler server is already updated... Usage: tell traveler DBMaint Where includes: Run - Immediately performs online maintenance. If the server is standalone, then it will configure maintenance to run on restart. Show - Displays various database maintenance scheduling information. Fragmentation - Recommends database maintenance based on fragmentation levels. Set Interval - Sets the interval of days in which automatic database maintenance will perform. Set Time - Sets the time in 24-hour format in which automatic database will perform. Set Day - Sets the day of the week for the first scheduled automatic maintenance to start from. Set to off if you want the first scheduled maintenance to be based off of the last maintenance time. Set Threshold - Configures automatic database maintenance to check fragmentation levels before it will execute. Set Auto - Enablement for automatic database maintenance. Re-enablement will reschedule maintenance if either the time or interval have changed. Set Indexes - Configures the number of fragmented indexes for the fragmentation threshold. Set Ownership - Configures ownership of database maintenance to this server. This server will be the only server that can perform automatic database maintenance. Set Percent <0-100> - (ONLY FOR SQL SERVER) Configures the fragmentation percentage of indexes for the fragmentation threshold. Set Functions <1-4> - (ONLY FOR DB2) Configures the number of functions that are used to determine if an index is fragmented for the fragmentation threshold.
|APAR # ||Abstract |
|LO85584 ||Explicit commit is not needed for database select statements. |
|LO86339 ||Warning may be displayed for redirect to SSL setting that is not in effect. |
|LO86341 ||Add covering index to improve performance of update queries. |
|LO86366 ||User may stop syncing after migration to HA environment AND change mail template. |
|LO86445 ||Traveler syncs attachments in very small chunks causing mail delays and possible server crash. |
|LO86448 ||Enable Calendar ghosting for ActiveSync devices when running on Domino 8.5.3 server. |
|LO86466 ||Get Error 400 trying to read encrypted e-mail on Companion app for Apple devices. |
|LO86496 ||Server crash on buffer over run error if log message is too long. |
|LO86500 ||Shake to undo folder move in native Apple mail client may not be reflected on server. |
|LO86516 ||PDF attachment not viewable if missing pdf extension. |
|LO86521 ||Principal field is blank on draft e-mail created by IBM Verse mobile client. |
|LO86530 ||Unnecessary error logging e-mails with attachments with no file name. |
|LO86562 ||Individually delete all instances of repeating meeting in IBM Verse mobile client will not delete all entries from server copy. |
|LO86610 ||Threaded e-mail move to folder not shown in new folder in IBM Verse client.|
Daniel Nashed 2 October 2015 20:46:52There is a brand new new TN describing how to enable higher security for the updated JVM 1.6 in Notes/Domino. -->http://www.ibm.com/support/docview.wss?uid=swg21967996 The IBM 1.6 JVM does support TLS 1.2 and also some modern ciphers. Sadly by default they cannot be used because they use higher encryption levels (AES 256) which are disabled by default in the IBM and even in the current Oracle JVM 1.8.
The TN describes a download for something that is called "Java Cryptography Extension" which is nothing new and is around with descriptions for other products and JVM versions. But now that Notes/Domino has updated crypto standards in the JVM in some of the last updates and also Domino supports (EC)DHE with higher encryption levels looking into those higher encryption levels in the JVM makes sense. When you download the install files you basically get two jars that replace your JVM security files (in notes\jvm\lib\security). The two jar files local_policy.jar and US_export_policy.jar contain two files
I have done some testing with the feed reader which started to use DHE_RSA_WITH_AES_256_CBC_SHA with 2048 bit key and TLS 1.2 which is already great. That provides PFS via DHE cipher and also AES 256 with a CBC cipher. Sadly it still uses SHA and no GCM cipher. With the new Mac 64bit client using the Oracle 8 JVM you still need the same type of patches. My tests using the feed-reader and embedded browser on the new Mac Notes 9.0.1 64bit resulted in a ECDHE_RSA_WITH_AES_128_GCM_SHA256 connection!
So now the Mac is using higher encryption levels for Java then the current Notes/Domino 9.0.1 release with current JVM patches (1.6.0 SR16 FP7).
I would wish that IBM would update the JVM in Windows and Linux as well in the 9.0.1 code stream!! To give you some additional background about the changed settings. You can see that the old files contained restrictions (probably because some countries still don't allow higher crypto). The replaced files remove all the restrictions. Have a great weekend!!! -- Daniel
-- Old Content --
// Some countries have import limits on crypto strength. This policy file is worldwide importable.
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", 2048;
permission javax.crypto.CryptoPermission *, 128;
-- New Content --
// Manufacturing policy file.
// There is no restriction to any algorithms.
Daniel Nashed 1 October 2015 10:21:45 After updating to OSX 10.11 I did a quick test. It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS. The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back. But you never know if this is going away in one of the next updates. Here is a trace from against a Domino 9.0.1 FP4 IF2 server. You can see all supported common ciphers and I highlighted the most important parts of the handshake. Happy updating! -- Daniel SSLProcessProtocolMessage> Record Content: Handshake (22) SSLProcessHandshakeMessage Enter> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 0 Cipher: Unknown Cipher (0x0000) SSLProcessHandshakeMessage client_hello> SGC FLAG: 0 CTX state = 3 SGCCount = 0 SSLProcessClientHello> clientVersion: 0303 SSLProcessClientHello> SSL/TLS protocol clientVersion 0x0303, serverVersion 0x0303 SSLProcessClientHello> 26 ciphers requested by client SSLProcessClientHello> Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF) SSLProcessClientHello> TLS_EMPTY_RENEGOTIATION_INFO_SCSV found SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSLProcessClientHello> Best common cipherspec 0xC030 (so far) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012) SSLProcessClientHello> Client requested RSA_WITH_AES_256_GCM_SHA384 (0x009D) SSLProcessClientHello> Best common non-EC cipherspec 0x009D (so far) SSLProcessClientHello> Client requested RSA_WITH_AES_128_GCM_SHA256 (0x009C) SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA256 (0x003D) SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA256 (0x003C) SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA (0x0035) SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA (0x002F) SSLProcessClientHello> Client requested RSA_WITH_3DES_EDE_CBC_SHA (0x000A) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007) SSLProcessClientHello> Client requested ECDHE_RSA_WITH_RC4_128_SHA (0xC011) SSLProcessClientHello> Client requested RSA_WITH_RC4_128_SHA (0x0005) SSLProcessClientHello> Client requested RSA_WITH_RC4_128_MD5 (0x0004) SSLProcessClientHello> Extensions found in this message SSLProcessClientHello> Received TLS Server Name Indication (SNI) extension SSLProcessClientHello> SNI - client requested server name 'domino.nashcom.de' SSLProcessClientHello> Received Elliptic Curves extension SSLProcessClientHello> Client supports NamedCurve secp256r1 (23) SSLProcessClientHello> Client supports NamedCurve secp384r1 (24) SSLProcessClientHello> Client supports NamedCurve secp521r1 (25) SSLProcessClientHello> Received EC Point Formats extension SSLProcessClientHello> Client supports uncompressed (0) points SSLProcessClientHello> Processing TLS signature algorithms extension SSLProcessClientHello> Client supports hash mask 0x0034; server cert chain has mask 0x0014 SSLProcessClientHello> Extension type 0x3374, extension length 0x0000 SSLProcessClientHello> Extension type 0x0010, extension length 0x0030 SSLProcessClientHello> Processing TLS Status Request extension (OCSP) SSLProcessClientHello> Extension type 0x0012, extension length 0x0000 SSLProcessClientHello> hash/alg in certchain fSupHasAlg:0000 SSLProcessClientHello> We selected cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSLProcessHandshakeMessage Exit> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSLAdvanceHandshake Enter> Processed: ClientHello (1) State: HandshakeServerIdle (3) SSLAdvanceHandshake client_hello> SGC FLAG: 0 Count = 2 SSLAdvanceHandshake client_hello> Using resumed SSL/TLS Session SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerHello SSLEncodeServerHello> Sending empty renegotiation_info (0xff01) extension SSLEncodeServerHello> Sending empty status_request (0x0005) extension SSLEncodeServerHello> Sending supported point formats (0x000b) extension SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeChangeCipherSpec SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeFinishedMessage SSLCalculateTLS12FinishedMessage Enter> senderID: server finished, PRF using SHA384 SSLAdvanceHandshake Exit> State HandshakeChangeCipherSpec (13) SSL_Handshake> After handshake state = HandshakeChangeCipherSpec (13); Status = -5000 int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone] SSLProcessProtocolMessage> Record Content: Change cipher spec (20) SSL_Handshake> After handshake2 state HandshakeFinished (14) int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone] SSLProcessProtocolMessage> Record Content: Handshake (22) SSLProcessHandshakeMessage Enter> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSLCalculateTLS12FinishedMessage Enter> senderID: client finished, PRF using SHA384 SSLProcessHandshakeMessage Exit> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSLAdvanceHandshake Enter> Processed: Finished (20) State: HandshakeFinished (14) SSLAdvanceHandshake Exit> State HandshakeServerIdle (3) SSL_Handshake> After handshake2 state HandshakeServerIdle (3) SSL_Handshake> Using resumed SSL/TLS session SSL_Handshake> Protocol Version TLS1.2 (0x303) SSL_Handshake> Cipher = ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) SSL_Handshake> KeySize = 256 bits SSL_Handshake> Original Elliptic Curve = NIST P-256 (23) SSL_Handshake> Server RSA key size = 2048 bits SSL_Handshake> SSLErr = 0 SSL_Handshake> TLS/SSL Handshake completed successfully int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
Daniel Nashed 29 September 2015 14:03:34Wow the Mac 64bit Client has been released today! If you are looking for it, the description and the part number might help.
Already downloaded from Partnerworld. I hope you also find it in Passport Downloads already.
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN ). And here is the technote -> http://www.ibm.com/support/docview.wss?uid=swg21962311 Have fun! Daniel
Daniel Nashed 26 September 2015 10:38:11
After updating to the new IF which introduces ECDHE with some additional settings you can get to a "A+" SSL Labs rating.
When you install IF2 by default you get a good set of ciphers. In the previous sets oif fixes DHE was disabled by defaiult. Now you have DHE and also ECDHE enabled by default. There is not much in addition to that you have to do. Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits (p: 256, g: 1, Ys: 256)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits (p: 256, g: 1, Ys: 256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits (p: 256, g: 1, Ys: 256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits (p: 256, g: 1, Ys: 256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits (p: 256, g: 1, Ys: 256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
The SSL Labs rating says that PFS is supported with current browsers: "Forward Secrecy - With modern browsers"
-- Disable SSL V3 -- First of all you have to disable SSL V3. By default it is still enabled.
And I think it is time to completely disable it. DISABLE_SSLV3=1
The current fixes also support HSTS but by default the max age is a bit too low.
So I set the following notes.ini settings:
Which resulted in the following rating:
"Strict Transport Security (HSTS) Yes max-age=17280000; includeSubDomains"
-- OCSP -- Also OCSP is supported in the current version.
I have set the following notes.ini settings to enable it and to specify the responder URL for my certificate provider.
And I also enabled debugging for testing and ensured that time differences of different clocks do not cause any issues.
SSL_ENABLE_OCSP_STAPLING=1 OCSP_RESPONDER=http://evssl-ocsp.globalsign.com/responder OCSP_CLOCKSKEW=10 OCSP_LOGLEVEL=31 The result is:
OCSP stapling -> Yes
-- Cipher Configation -- The cipher configuration has changed a bit. For the new ciphers you need four digits.
Using the SSLCipherSpec you can continue to configure the existing ciphers using the two digit code.
But I would recommend that you start using 4 digits for all cipher types to keep the settings more consistent.
Also there is a way to disable certain ECDHE Curves via notes.ini settings.
And you can also gnerate your own DHE Groups.
I don't want to repeat all the settings from the current documentation.
The wiki entry has been updated. You find all the details here:
http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration Most of the settings are not really required. But those options can help when you have special requirements.
Daniel Nashed 25 September 2015 16:35:19 Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped. It contains some important fixes in the security area. First of all it corrects some bugs in the DHE and AES-GCM area. And also fixes in MIME conversion specially important for Traveler servers. But it also introduces ECDHE ciphers! Again the Domino security team did a great job implementing important new functionality in an Interims Fix. As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applications. But we expect that in one of the next version Apple might require ECDHE also for Safari and ActiveSync applications as posted before. When updating to IF2 you should remove the SSLCIPHERSPEC notes.ini setting from your server. This will enable a good set of ciphers including DHE and ECDHE ciphers. I am working on a more detailed blog post once I have fully tested the fix over the weekend. My test server was rated "A+" by SSL Labs with some additional settings and with a proper certificate. Again thanks to the Domino security team for their great work!!! -- Daniel -- List of the server side fixes in 9.0.1 FP4 IF2 -- ACHG9XJB6Y Fixed a potential Domino Server crash in JVM When Converting CD To Mime. ECYS9XXDMF Memory leaks in two MIME routines that caused Traveler 901FP7 crash/hang when fetching MIME body parts that are attachments. PLYSA2EQ5T Defensive code to prevent Traveler crash/hang when fetching MIME body parts that are attachments. KLYHA2DKT7 Fixes an AES-GCM memory leak. KLYH9YNR8F Introduce support for Elliptic Curve TLS_ECDHE for compatibility with Apps compiled for Apple iOS 9.0 / OS X 10.11. This adds Elliptic Curve support for HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3. (technote 1966059) RPINA2FNSM Fixed intermittent DHE failures in TLS1.2 connections. TDOOA2GP8G_DEBUG Added a debug notes.ini DEBUG_IMAP_DEADLOCK_TRACE to troubleshoot long held lock leading to insufficient memory in IMAP. This ini is off by default.
Daniel Nashed 17 September 2015 12:41:48
The IBM Champion program is a great way to thank active members of the community.
"The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplifying their voice and increasing their sphere of influence.
An IBM Champion is an IT professional, business leader, developer, or educator who influences and mentors others to help them make best use of IBM software, solutions, and services."
So if there is someone you think how deserves it, here is the nomination form --> https://ibm.biz/NominateChamps
For more details see --> https://www.ibm.com/developerworks/champion/learn.html
Daniel Nashed 16 September 2015 21:00:34Yesterday Apple released the final version of iOS 9.
As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser.
My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet.
I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not test all type of Apple applications but at least Safari also continues to work).
In my tests I have disabled TLS 1.2 and I have also disabled the DHE ciphers and iOS 9 was still able to connect over ActiveSync to my Traveler server.
So it is still important that we are getting an update for Domino 9.0.1 FP4 that introduces ECDHE (which is expected until end of September) but we have been lucky that Apple is not enforcing the full ATS standard for Safari and ActiveSync yet.
Below you see the list of ciphers my iOS 9 device requested. This looks like a pretty wide range of ciphers with a lot none ECDHE ciphers.
Here is again a link to the IBM technote --> http://www.ibm.com/support/docview.wss?uid=swg21966059
You should update all your iOS apps to the latest version. There have been fixes for the companion and the todo app for iOS 9 support.
As of now the TN is not update to reflect my findings for the internal applications. And I would be interested to hear from your tests and results with iOS 9.
I have not tested with RSA keys < 2048 or a none SHA-256 cert. Can anyone share their findings?
You can either reply here or drop me an e-mail.