Last warning (if you haven’t heard about it) – Apple will enforce ATS on iOS 9 compiled apps

A few weeks ago I wrote that it is important to support the specs for Apple’s new App Transport Security (ATS). Here is the proof of what will happen.

 

I compiled an app with the iOS 9 SDK and connected it to current IBM Domino 9.0.1 FP4 server (with DEBUG_SSL_ALL=3 activated). As you can see in the output the client has requested an unknown cipher – and with that hasn’t setup the SSL connection.

27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02C)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02B)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC024)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC00A)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC023)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC009)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC030)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC02F)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC028)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC027)
27.08.2015 17:52:11,89 SSLProcessClientHello> Client requested Unknown Cipher (0xC013)

 

Those mentioned ciphers belong to the ECDHE (Elliptic curve Diffie–Hellman) family which isn’t currently supported by this server.

 

You can read more about new security specs at Apple’s technote.

 

If you’re running your app against specific servers you can lower your security, as described in the technote. But if the servers aren’t under your control you’ll be doomed if those don’t support the new Apple specs.

 

IBM is AFAIK working on an update for 9.0.1 FP4 to support the new ciphers. Hopefully before iOS 9. Stay tuned!