HCL Notes and Domino 9.0 Social Edition Forum - Connectivity Issues with Traveler after updating to iOS9

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Phil Churesatherakol

Sep 17, 2015, 8:10 PM

8 Posts

Connectivity Issues with Traveler after updating to iOS9

Category: Notes Traveler
Platform: All Platforms
Release: 9.0.1
Role: Administrator
Tags: Traveler,iOS9,Domino
Replies: 4

If you just updated your device OS to iOS9 and are experiencing connectivity issues with the Traveler server, kindly check if you are meeting the following items:

1. Make sure that your IBM Traveler version supports iOS 9.

Upgrade to IBM Traveler 9.0.1.7 to officially support iOS9 devices.

2. IF you are using HTTPS (SSL) on your Domino/Traveler Server

You must upgrade your Domino server to the latest release that supports TLS 1.2 connections(TLS 1.2 support introduced in Domino 9.0.1 Fix Pack 3 Interim Fix 2).

Basically, when using HTTPS, iOS9 devices would connect to the server via TLS 1.2, and if the Domino HTTP Server does not support it, the connection will fail.

OPTIONAL: Add the following notes.ini parameters AFTER upgrading the server to disable weaker ciphers (SSLv3) and to specify the TLS 1.2 ciphers to use.

Disable_SSLv3=1
SSLCipherSpec=9F9E6B39679D9C3D353C2F330A

After setting these in place, please restart the server for it to take effect.

3. IF you have a reverse proxy/load balancer in front of Traveler (for High Availability Setup)

Ensure that it has support for TLS 1.2.

If you are still experiencing connectivity issues after checking the above items and making the necessary changes, please open a PMR with IBM Technical Support.

For related information see the following links:

iOS 9 support statement: http://www.ibm.com/support/docview.wss?uid=swg21962180
Apple iOS9 App Transport Security - https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security
Detailed System Requirements (On Prem): http://www.ibm.com/support/docview.wss?uid=swg27045363
IBM Traveler 9.0.1.7 Release Documentation - http://www-01.ibm.com/support/docview.wss?uid=swg21965124
IBM Notes and Domino Interim Fixes to support TLS 1.2 - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
TLS Cipher Configuration - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
TLS 1.2 deliveries for IBM Notes & Domino 9.x - http://www.ibm.com/support/docview.wss?uid=swg21697925
iOS 9.x native Calendar app may remove some repeating Domino calendar entries from device - http://www.ibm.com/support/docview.wss?uid=swg21966731

~Phil Churesatherakol

Sep 23, 2015, 7:39 PM

8 Posts

Update on SSLCipherSpec parameter

Please note the update on the SSLCipherSpec parameter.

SSLCipherSpec=9F9E6B39679D9C3D353C2F330A053305

Basically, the SSLCipherSpec parameter overrides the default cipher list to be used by the Domino server. If you wish to specify the ciphers to be used by Domino, then you can add the SSLCipherSpec parameter. The example above is the complete cipher list for TLS 1.0 and TLS 1.2.

~Tanita Desweverobu

Sep 25, 2015, 2:13 PM

94 Posts

33 and 05 are listed in that SSLCipherSpec twice <>

~Olga Brekrochekobu

Sep 23, 2015, 9:42 PM

4 Posts

SSL Certificates after 901 FP4 Upgrade on Domino

Most customers have Domino CA Self-Sign SSL certificates created from this technote (http://www-01.ibm.com/support/docview.wss?uid=swg21114148)

After upgrading to 901 FP4, you will be having these errors if you still use these kind of certificates:
TLS/SSL connection x.x.x.x - x.x.x.x failed with server certificate chain signature algorithms NOT supported by client
TLS/SSL connection x.x.x.x - x.x.x.x failed with server certificate chain requiring support for MD5

To check if your certificates are MD5:
1. Using a web browser, open your web server URl (https://hostname)
2. Open the certificate from the padlock from the URL and go to details tab
3. If you see MD5 as the Signature algorithm then you need recreate the SSL certificates

To resolve this errors, Please refer to the following technote:

Title: Domino Web Server keyring still using MD5 may cause TLS 1.2 handshake failure
Doc #: 1701159
URL: https://www-304.ibm.com/support/docview.wss?uid=swg21701159

We recommend to update your keyfiles and use SHA-2 certificates so that you could also use the highest protocol available in Domino. As a workaround, disable TLS 1.2: SSL_DISABLE_TLS_12=1.

Please be aware that SHA-2 certificates are not supported on Domino version 8.5.x. SHA-2 certificates are supported on Domino version 9 and up only. If you are already on version 9.x, we have new tools to process SHA-2 certificates. We can no longer use the old certsrv.nsf with SHA-2 certificates. You would need to apply the latest fixes to support and use these tools. Here are the requirements and steps for the new SHA-2 process:

Title: SHA-2 support available for IBM Domino 9.x
Doc #: 1418982
URL: http://www.ibm.com/support/docview.wss?uid=swg21418982

You have two options, Using Self-Sign and an SSL from a Third Party CA vendor.
Self-Sign Domino SHA-2 SSL
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool

Third Party Domino SHA-2 SSL
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

~Phil Churesatherakol

Sep 28, 2015, 7:36 PM

8 Posts

Technote available

Hi All,

We have released a Technote about this, that is easily accessible.

See link for technote - http://www-01.ibm.com/support/docview.wss?uid=swg21967350

Share ▼
Subscribe ▼