IBM Support

Apple's App Transport Security prevents apps from connecting to a Domino server

Technote (troubleshooting)


Problem

Third-party apps built for iOS 9.0 (or later), or built for OS X 10.11 El Capitan (or later), will not be able to connect to a Domino server due to enforcement of Elliptic Curve ciphers.

Example Scenario: An application, built for iOS 8 or OS X 10.10, that makes HTTP/HTTPS connections to a Domino server works fine. Then the app is recompiled for iOS 9 or OS X 10.11. By default this enforces a new technology from Apple called App Transport Security (ATS), which enforces a number of security constructs for connectivity. Domino 9.0.1 Fix Pack 4 can handle all of the constructs except Elliptic Curve ciphers.

Note: For iOS 9, Mail app and Browser are not enforcing the elliptic curve component of App Transport Security, so there is no issue with Traveler or iNotes retrieving mail, however, iOS 9 is enforcing TLS 1.2 which will require Domino 9.0.1 Fix Pack 4.


Symptom

Apps compiled for iOS 9 or OS X 10.11 cannot connect to a Domino server over HTTPS. The connection will be denied and, on the Domino console, the following messages will appear if you have DEBUG_SSL_All=1 set in the server's notes.ini. (HTTP task restart required for INI to take effect.)

      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02C)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02B)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC024)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC00A)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC023)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC009)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC030)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02F)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC028)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC027)
      [0F7C:000A-0C58] 27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC013)

Cause

This issue is caused by the lack of Elliptic Curve support for Domino and by the default enforcement of App Transport Security in apps built for iOS 9 or OS X 10.11.

Environment

The issue occurs on Apple devices running iOS 9 with apps built for iOS 9. This issue can also occur on Mac OS X 10.11 with apps built for OS X 10.11.

Diagnosing the problem

Client fails to connect to a Domino server and the server displays "Client requested Unknown Cipher".

Resolving the problem

Download and install Domino 9.0.1 Fix Pack 4 Interim Fix 2 (or higher). which implements Elliptic Curve cipher support for TLS 1.2 and TLS 1.0 that remedies this issue and implements Elliptic Curve support for the following protocols: HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3.


Elliptic Curve support will not be available for Domino 8.5.x releases since the specification requires updated cryptographic libraries that are available only in Domino 9.0 and above.

Another option to resolve the issue, developers can compile third-party apps with an Exceptions list to exclude enforcing App Transport Security. More specifically, apps compiled with App Transport Security but with the Exception NSExceptionRequiresForwardSecrecy set to NO, will allow the app to communicate with ciphers that Domino 9.0.1 Fix Pack 4 supports, including these:

      RSA_WITH_AES_256_GCM_SHA384 (0x009D)  
      RSA_WITH_AES_128_GCM_SHA256 (0x009C)  
      RSA_WITH_AES_128_CBC_SHA (0x002F)  

IBM is committed to delivering a secure and reliable offering. It is our intention to continue to address general enhancements including security updates as is our general practice in our product development cycles or in our ongoing subscription updates.


Q&A


Q1: Is IBM the only vendor impacted by this change?
No. Other companies are giving guidance to app developers to exclude enforcement of App Transport Security so that apps can continue to function completely.

Q2: Does this change affect Apple native apps on iOS 9 and OSX 10.11, such as iOS mail configured for Traveler or the iOS browser used for iNotes and XPage applications?
  • For iOS 9: For the iOS native mail app, TLS 1.2 is needed which requires Domino 9.0.1 FP4 or above.
  • For OS X 10.11: No known issues.

Q3: Is the IBM Verse iOS mobile app impacted?
No. The IBM Verse iOS mobile app is compiled with appropriate exclusions to avoid connections being denied. This provides another solution if the Apple native iOS mail app starts enforcing App Transport Security with ciphers that Domino does not support.


IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.   Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Traveler

Document information

More support for: IBM Domino
Security

Software version: 9.0, 9.0.1, 9.0.1.1, 9.0.1.2, 9.0.1.3, 9.0.1.4

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: All Editions

Reference #: 1966059

Modified date: 29 November 2016


Translate this page: