Apple are getting ready to ship both iOS9 (sometime next week is rumoured) and the latest version of OSX called El Capitan. Already people have downloaded and are using beta versions of the software and finding things don’t work – small things like Notes won’t install or run and iOS devices won’t connect to Traveler! So here’s what you need to do (and with thanks to the king of all things Apple OS Rene Winkelmeyer)
Your Traveler server must be upgraded to the latest version which was released last week – 220.127.116.11. That version adds support for iOS9 and without it your devices won’t be able to connect. All those BYOD users with iPhones are sure to be updating the second the OS is released so you really need to stay ahead of the game and get your server upgraded. And whilst you’re at it , make sure you get your SSL certificates updated to SHA2 if you haven’t already.
Amendment: Rene would like me to make it clearer that not having a SHA2 certificate from a public CA will absolutely positively stop Traveler from working as of iOS9 right now. He’s right – I wasn’t clear enough on that. Your Traveler server must have a SHA2 SSL certificate and really must be Domino 9.0.1 FP4
IBM have announced there will be a new 64bit (yay!) version of Notes 9.0.1 for the Mac to be released prior to the shipping of El Capitan. There are no declared dates but I’m hoping that means “September”. More details of that here but basically until the new 64bit client is available, don’t upgrade to OSX 10.11
So. Traveler first. In fact Traveler NOW and then wait… 🙂
that’s not correct: “Your Traveler server must be upgraded to the latest version which was released last week – 18.104.22.168. That version adds support for iOS9 and without it your devices won’t be able to connect. ”
The current iOS 9 Beta is working great with older Traveler releases. IBM will only official support 22.214.171.124 together with iOS 9. You should update to Traveler 126.96.36.199, but it is not a must.
The problem is the Domino HTTP stack. If you are using the Domino HTTP task as endpoint of your SSL connection, customers MUST update Domino to => 9.0.1 FP3, because of needed TLS 1.2 and SHA-2 support for iOS 9.
I’m standing by the 188.8.131.52 statement because that’s what IBM officially supports iOS9 for and that’s the one that has the fixes caused by issues in iOS9. I do also have several customers with beta iOS9 unable to connect and those that can having problems with data.
I did say you needed SHA2 which also requires you to update Domino but Rene pointed out that wasn’t clear enough so I already updated this post explaining SHA2 and Domino 9.0.1 FP4 were required. To make things worse the ciphers on Domino right now even at the latest version may not work with iOS9 well and IBM may still be releasing a further IF to support them. Yes you can use FP3 with SHA2 but at this point I wouldn’t
So are you saying a self signed SHA2 SSL won’t work? That seems to what that above indicates.
That’s what I understand yes – I haven’t tested as they haven’t shipped yet but yes.
Gabriella, thank you for the updates. As far as having another SSL/TLS terminator with SHA-2 communicating with via HTTP to the Traveler server, is that an issue?
It actually shouldn’t be no because the front end SSL will handle the communications. I’d have to know more but in principle no not a problem
I’ve just gotten off the phone with IBM Traveler Support related to a PMR inquiry on this. They stated that Traveler 184.108.40.206 will be required for iOS9, and that in addition Domino 9.0.1 FP5 will also be released as a requirement just prior to the iOS9 release. They (of course) can not comment on software (iOS9) that is not officially released. The SSL SHA2 requirement is apparently strictly related (someone please recheck my understanding) to the use of the IBM iOS Verse client along with the Traveler server. A self-signed cert will not work for that combo of Verse Client/Traveler, which seems to be true now as well. The standard ‘Generate an Apple Profile’ setup will still apparently operate without concern regardless.
That’s useful information. thank you
I’ve heard from IBM the an IF for Domino to support ECDHE ciphers is coming shortly (it’s in internal testing now) and a technote is imminent. Hold on to yer hats!
Technote today .. 🙂