Connectivity Issues with Traveler after updating to iOS9

If you just updated your device OS to iOS9 and are experiencing connectivity issues with the Traveler server, kindly check if you are meeting the following items:

1. Make sure that your IBM Traveler version supports iOS 9.

Upgrade to IBM Traveler 9.0.1.7 http://www-01.ibm.com/support/docview.wss?uid=swg21965124 to officially support iOS9 devices.

2. IF you are using HTTPS (SSL) on your Domino/Traveler Server

You must upgrade your Domino server to the latest release http://www-01.ibm.com/support/docview.wss?uid=swg24037141 that supports TLS 1.2 connections(TLS 1.2 support introduced in Domino 9.0.1 Fix Pack 3 Interim Fix 2 http://www.ibm.com/support/docview.wss?uid=swg21697925).

Basically, when using HTTPS, iOS9 devices would connect to the server via TLS 1.2, and if the Domino HTTP Server does not support it, the connection will fail.

OPTIONAL: Add the following notes.ini parameters AFTER upgrading the server to disable weaker ciphers (SSLv3) and to specify the TLS 1.2 ciphers to use.

Disable_SSLv3=1
SSLCipherSpec=9F9E6B39679D9C3D353C2F330A

After setting these in place, please restart the server for it to take effect.

3. IF you have a reverse proxy/load balancer in front of Traveler (for High Availability Setup)

Ensure that it has support for TLS 1.2.

If you are still experiencing connectivity issues after checking the above items and making the necessary changes, please open a PMR with IBM Technical Support.

For related information see the following links:

• iOS 9 support statement: http://www.ibm.com/support/docview.wss?uid=swg21962180 http://www.ibm.com/support/docview.wss?uid=swg21962180
• Apple iOS9 App Transport Security - https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security
• Detailed System Requirements (On Prem): http://www.ibm.com/support/docview.wss?uid=swg27045363 http://www.ibm.com/support/docview.wss?uid=swg27045363
• IBM Traveler 9.0.1.7 Release Documentation - http://www-01.ibm.com/support/docview.wss?uid=swg21965124 http://www-01.ibm.com/support/docview.wss?uid=swg21965124
• IBM Notes and Domino Interim Fixes to support TLS 1.2 - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
• TLS Cipher Configuration - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
• TLS 1.2 deliveries for IBM Notes & Domino 9.x - http://www.ibm.com/support/docview.wss?uid=swg21697925 http://www.ibm.com/support/docview.wss?uid=swg21697925
• iOS 9.x native Calendar app may remove some repeating Domino calendar entries from device - http://www.ibm.com/support/docview.wss?uid=swg21966731 http://www.ibm.com/support/docview.wss?uid=swg21966731

Subject: Technote available

Hi All,

We have released a Technote about this, that is easily accessible.

See link for technote - http://www-01.ibm.com/support/docview.wss?uid=swg21967350 http://www-01.ibm.com/support/docview.wss?uid=swg21967350

Subject: Update on SSLCipherSpec parameter

Please note the update on the SSLCipherSpec parameter.

SSLCipherSpec=9F9E6B39679D9C3D353C2F330A053305

Basically, the SSLCipherSpec parameter overrides the default cipher list to be used by the Domino server. If you wish to specify the ciphers to be used by Domino, then you can add the SSLCipherSpec parameter. The example above is the complete cipher list for TLS 1.0 and TLS 1.2.

Subject: 33 and 05 are listed in that SSLCipherSpec twice <>

Subject: SSL Certificates after 901 FP4 Upgrade on Domino

Most customers have Domino CA Self-Sign SSL certificates created from this technote (http://www-01.ibm.com/support/docview.wss?uid=swg21114148 http://www-01.ibm.com/support/docview.wss?uid=swg21114148)

After upgrading to 901 FP4, you will be having these errors if you still use these kind of certificates:
TLS/SSL connection x.x.x.x - x.x.x.x failed with server certificate chain signature algorithms NOT supported by client
TLS/SSL connection x.x.x.x - x.x.x.x failed with server certificate chain requiring support for MD5

To check if your certificates are MD5:

1. Using a web browser, open your web server URl (https://hostname https://hostname/)
2. Open the certificate from the padlock from the URL and go to details tab
3. If you see MD5 as the Signature algorithm then you need recreate the SSL certificates

To resolve this errors, Please refer to the following technote:

Title: Domino Web Server keyring still using MD5 may cause TLS 1.2 handshake failure
Doc #: 1701159
URL: https://www-304.ibm.com/support/docview.wss?uid=swg21701159 https://www-304.ibm.com/support/docview.wss?uid=swg21701159

We recommend to update your keyfiles and use SHA-2 certificates so that you could also use the highest protocol available in Domino. As a workaround, disable TLS 1.2: SSL_DISABLE_TLS_12=1.

Please be aware that SHA-2 certificates are not supported on Domino version 8.5.x. SHA-2 certificates are supported on Domino version 9 and up only. If you are already on version 9.x, we have new tools to process SHA-2 certificates. We can no longer use the old certsrv.nsf with SHA-2 certificates. You would need to apply the latest fixes to support and use these tools. Here are the requirements and steps for the new SHA-2 process:

Title: SHA-2 support available for IBM Domino 9.x
Doc #: 1418982
URL: http://www.ibm.com/support/docview.wss?uid=swg21418982 http://www.ibm.com/support/docview.wss?uid=swg21418982

You have two options, Using Self-Sign and an SSL from a Third Party CA vendor.
Self-Sign Domino SHA-2 SSL
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool

Third Party Domino SHA-2 SSL
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool