Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    iOS 9 Released and Traveler continues to work without ECDHE

    Daniel Nashed  16 September 2015 21:00:34
    Yesterday Apple released the final version of iOS 9.
    As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser.


    My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet.

    I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not test all type of Apple applications but at least Safari also continues to work).


    In my tests I have disabled TLS 1.2 and I have also disabled the DHE ciphers and iOS 9 was still able to connect over ActiveSync to my Traveler server.


    So it is still important that we are getting an update for Domino 9.0.1 FP4 that introduces ECDHE (which is expected until end of September) but we have been lucky that Apple is not enforcing the full ATS standard for Safari and ActiveSync yet.


    Below you see the list of ciphers my iOS 9 device requested. This looks like a pretty wide range of ciphers with a lot none ECDHE ciphers.


    Here is again a link to the IBM technote -->
    http://www.ibm.com/support/docview.wss?uid=swg21966059

    You should update all your iOS apps to the latest version. There have been fixes for the companion and the todo app for iOS 9 support.

    As of now the TN is not update to reflect my findings for the internal applications. And I would be interested to hear from your tests and results with iOS 9.

    I have not tested with RSA keys < 2048 or a none SHA-256 cert. Can anyone share their findings?
    You can either reply here or drop me an e-mail.


    -- Daniel



    ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

    ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

    ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)

    ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)

    ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)

    ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)

    ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)

    ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

    ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)

    ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)

    ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)

    ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)

    ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)

    ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)

    RSA_WITH_AES_256_GCM_SHA384 (0x009D)

    RSA_WITH_AES_128_GCM_SHA256 (0x009C)

    RSA_WITH_AES_256_CBC_SHA256 (0x003D)

    RSA_WITH_AES_128_CBC_SHA256 (0x003C)

    RSA_WITH_AES_256_CBC_SHA (0x0035)

    RSA_WITH_AES_128_CBC_SHA (0x002F)

    RSA_WITH_3DES_EDE_CBC_SHA (0x000A)

    ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)

    ECDHE_RSA_WITH_RC4_128_SHA (0xC011)

    RSA_WITH_RC4_128_SHA (0x0005)

    RSA_WITH_RC4_128_MD5 (0x0004)


    Comments

    1Sascha  17.09.2015 14:33:04  iOS 9 Released and Traveler continues to work without ECDHE

    Hi Daniel,

    I have tested with a customer traveler server still running with a SHA-1 cert / 2048 and the final IOS 9 device is also still able to connect.

    Sascha

    2UK  18.09.2015 5:38:24  iOS 9 Released and Traveler continues to work without ECDHE

    Hi,

    Will IBM Traveler ver 9.0.1.3 & Domino ver 9.0.1 FP3 work with IOS 9?

    Regards,

    UK

    3Daniel Nashed  18.09.2015 8:31:30  iOS 9 Released and Traveler continues to work without ECDHE

    The first Traveler Version supported for iOS 9 is 9.0.1.7. There are known issues with iOS 9 in the calendar area and there are other specifiy fixes for iOS 9 - See the fixlist for details.

    I would recommend updating to 9.0.1.7. We only have positive feedback to this release after issues we had with previous versions after the MIME handling has been introduced.

    It makes a lot of sense to update to 9.0.1.7 and you should upgrade to 9.0.1 FP4 to be prepared for the new IF that is coming soon to introduce ECDHE.

    -- Daniel

    4Stefano Benassi  19.09.2015 12:36:16  iOS 9 Released and Traveler continues to work without ECDHE

    Everything is OK (now) with iOS 9 and a Traveler 8.5.3 UP2 with a SHA-1 certificate.

    Stefano


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]