Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

iOS 9 Released and Traveler continues to work without ECDHE

Daniel Nashed – 16 September 2015 19:00:34
Yesterday Apple released the final version of iOS 9.
As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser.


My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet.

I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not test all type of Apple applications but at least Safari also continues to work).


In my tests I have disabled TLS 1.2 and I have also disabled the DHE ciphers and iOS 9 was still able to connect over ActiveSync to my Traveler server.


So it is still important that we are getting an update for Domino 9.0.1 FP4 that introduces ECDHE (which is expected until end of September) but we have been lucky that Apple is not enforcing the full ATS standard for Safari and ActiveSync yet.


Below you see the list of ciphers my iOS 9 device requested. This looks like a pretty wide range of ciphers with a lot none ECDHE ciphers.


Here is again a link to the IBM technote -->
http://www.ibm.com/support/docview.wss?uid=swg21966059

You should update all your iOS apps to the latest version. There have been fixes for the companion and the todo app for iOS 9 support.

As of now the TN is not update to reflect my findings for the internal applications. And I would be interested to hear from your tests and results with iOS 9.

I have not tested with RSA keys < 2048 or a none SHA-256 cert. Can anyone share their findings?
You can either reply here or drop me an e-mail.


-- Daniel



ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)

ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)

ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)

ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)

ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)

ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)

ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)

ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)

ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)

ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)

ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)

RSA_WITH_AES_256_GCM_SHA384 (0x009D)

RSA_WITH_AES_128_GCM_SHA256 (0x009C)

RSA_WITH_AES_256_CBC_SHA256 (0x003D)

RSA_WITH_AES_128_CBC_SHA256 (0x003C)

RSA_WITH_AES_256_CBC_SHA (0x0035)

RSA_WITH_AES_128_CBC_SHA (0x002F)

RSA_WITH_3DES_EDE_CBC_SHA (0x000A)

ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)

ECDHE_RSA_WITH_RC4_128_SHA (0xC011)

RSA_WITH_RC4_128_SHA (0x0005)

RSA_WITH_RC4_128_MD5 (0x0004)


Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]