<< IBM Connections Cloud (SmartCloud) FINALLY adds much awaited feature | Home | PaaS, Bluemix and controlling runtime costs with cron >>

Getting ready for iOS 9 and App Transport Security (ATS)

Much has already been written on the web about the upcoming iOS 9 release and how Apple is tightening security with App Transport Security (ATS) which basically only allows for HTTPS traffic using advanced and secure ciphers. Other voices in the community is staying on top and blogging much more about it and how it pertains to IBM Traveler and particularly if you are terminating your IBM Traveler connections on Domino. As it stands now (IBM Domino 9.0.1 FP4) IBM Domino cannot deliver the ciphers required for ATS. While the latest beta of iOS 9 can still connect insecurely I suggest you start to look for a right solution that is terminating your IBM Traveler traffic using TLS v. 1.2 using Elliptic Curve crypto and Diffie-Hellman key exchange.

For one of our OnTime Group Calendar demo servers we have IBM HTTP Server (IHS) in front which made the process pretty easy as IHS already support the required ciphers. As always configuring security is a mix of securing your server while keeping compatibility with older operating systems and browsers. For me this meant allowing both TLS v. 1.0, 1.1 and 1.2 and keeping some less secure ciphers for older operating systems and browsers while also enabling strong crypto to support ATS.

Below is our configuration from domino.conf which is used to configured IHS for IBM Domino (there are two ciphers supported by ATS that are not supported by IHS (based on SHA-1)).

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Making the above configuration changed will give you a A- score on ssllabs.com which is a pretty nice score while keeping backwards compatibility. If that kind of config isn't needed turn off TLS v. 1.0 and 1.1 and remove the lines starting with "SSLCipherSuite ALL" - that will give you a score of A.

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Tags : , , ,



Add a comment Send a TrackBack