Tag Archives: TLS

IBM Traveler – Action Required by January 1, 2017

 

It is important to note that failure to meet all of the requirements listed below may result in your Verse for iOS, Verse for Android, IBM Notes Traveler Companion and IBM Notes Traveler To Do apps being unable to connect to your Traveler servers.

  • Mobile apps must connect only using HTTPS and not the unsecured HTTP protocol.
  • The server certificate must not be expired or invalid.
  • The server certificate common name (CN )or a name from the server certificate’s Subject Alternate Name (SAN) list must match the host name of the server with which the client is connecting. For example, if the mobile app is connecting totraveler.example.com, then the certificate must list traveler.example.com in the CN or SAN fields. A wild card certificate is allowed but the domain from the wild card must match the server’s domain.
  • The negotiated Transport Layer Security version must be TLS 1.2. Since devices running Android prior to version 4.1 do not support TLS 1.2, they can no longer be supported.
  • The server certificate must be trusted and either issued by a certificate authority (CA) whose root certificate is incorporated into the device operating system or is a trusted root CA that has been installed by the user or a system administrator on the device.
  • The negotiated TLS connections cipher suite must support forward secrecy and be one of the following:
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • The leaf server certificate must be signed with one of the following types of keys:
    Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
    Elliptic-Curve Cryptography (ECC/ECDSA) key with a size of at least 256 bits
  • The leaf certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (SHA-256 or greater).

Source: IBM Support