iOS 9 Released and Traveler continues to work without ECDHE
Daniel Nashed – 16 September 2015 19:00:34
Yesterday Apple released the final version of iOS 9. As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser.
My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet.
I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not test all type of Apple applications but at least Safari also continues to work).
In my tests I have disabled TLS 1.2 and I have also disabled the DHE ciphers and iOS 9 was still able to connect over ActiveSync to my Traveler server.
So it is still important that we are getting an update for Domino 9.0.1 FP4 that introduces ECDHE (which is expected until end of September) but we have been lucky that Apple is not enforcing the full ATS standard for Safari and ActiveSync yet.
Below you see the list of ciphers my iOS 9 device requested. This looks like a pretty wide range of ciphers with a lot none ECDHE ciphers.
Here is again a link to the IBM technote --> http://www.ibm.com/support/docview.wss?uid=swg21966059
You should update all your iOS apps to the latest version. There have been fixes for the companion and the todo app for iOS 9 support.
As of now the TN is not update to reflect my findings for the internal applications. And I would be interested to hear from your tests and results with iOS 9.
I have not tested with RSA keys < 2048 or a none SHA-256 cert. Can anyone share their findings?
You can either reply here or drop me an e-mail.
-- Daniel
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)
ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)
ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)
ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)
ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)
ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)
ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)
RSA_WITH_AES_256_GCM_SHA384 (0x009D)
RSA_WITH_AES_128_GCM_SHA256 (0x009C)
RSA_WITH_AES_256_CBC_SHA256 (0x003D)
RSA_WITH_AES_128_CBC_SHA256 (0x003C)
RSA_WITH_AES_256_CBC_SHA (0x0035)
RSA_WITH_AES_128_CBC_SHA (0x002F)
RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
ECDHE_RSA_WITH_RC4_128_SHA (0xC011)
RSA_WITH_RC4_128_SHA (0x0005)
RSA_WITH_RC4_128_MD5 (0x0004)
- Comments [4]
1Sascha 17.09.2015 12:33:04 iOS 9 Released and Traveler continues to work without ECDHE
Hi Daniel,
I have tested with a customer traveler server still running with a SHA-1 cert / 2048 and the final IOS 9 device is also still able to connect.
Sascha
2UK 18.09.2015 3:38:24 iOS 9 Released and Traveler continues to work without ECDHE
Hi,
Will IBM Traveler ver 9.0.1.3 & Domino ver 9.0.1 FP3 work with IOS 9?
Regards,
UK
3Daniel Nashed 18.09.2015 6:31:30 iOS 9 Released and Traveler continues to work without ECDHE
The first Traveler Version supported for iOS 9 is 9.0.1.7. There are known issues with iOS 9 in the calendar area and there are other specifiy fixes for iOS 9 - See the fixlist for details.
I would recommend updating to 9.0.1.7. We only have positive feedback to this release after issues we had with previous versions after the MIME handling has been introduced.
It makes a lot of sense to update to 9.0.1.7 and you should upgrade to 9.0.1 FP4 to be prepared for the new IF that is coming soon to introduce ECDHE.
-- Daniel
4Stefano Benassi 19.09.2015 10:36:16 iOS 9 Released and Traveler continues to work without ECDHE
Everything is OK (now) with iOS 9 and a Traveler 8.5.3 UP2 with a SHA-1 certificate.
Stefano