cancel
Showing results for 
Search instead for 
Did you mean: 
David_Holmes_12
Historic F5 Account

Apple is dropping new versions of its popular iOS and OS X operating systems. iOS Version 9 for iPhones, iPod Touches, and iPads arrives Wednesday, September 16, 2015.  Version 10.11 of OS X will land about a week later.

Both versions will be promoting a more strict set of cryptographic requirements within their application libraries.

According to this iOS 9.0 technote, by default, applications (“apps”) that use Apple’s underlying communication libraries will now require the following cryptographic characteristics for all new network connections:

  • The server must support at least TLS version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy.
  • Certificates with weak signatures will result in a hard failure and no connection. Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048-bit or greater RSA key or a 256-bit or greater Elliptic Curve Cryptography (ECC) key.

Because the new requirements are on by default in the App Transport Security (ATS) library, they will improve the security of network communication for the vast library of applications in the Apple ecosystem. 

Application developers can override these defaults (if they wish) and weaken their application's security posture by pushing out a single XML file to their mobile clients. But hopefully that won’t be necessary.

It is not clear yet whether some of the popular Apple apps such as the Mail client or Safari will have these requirements. It is assumed not since they weren’t mentioned, but the world won’t know for sure until Wednesday.

How does this affect F5 customers?

F5 customers who publish an application in the Apple App Store will need to pay heed. Those who don’t have apps in the Apple store also need to pay heed. Some apps will connect to third party servers (for example, ad server networks) to retrieve content. Any site that might have Apple application traffic is advised to watch for traffic reduction starting on Wednesday.

In order to meet the new Apple ATS requirements, an F5 customer should be running BIG-IP versions 11.5.0+ or 11.6.0+. According to DC user and article ghost writer David Remington, the minimum required version is 11.4.0+, which will suffice but has only the single ATS-compatible cipher.

Supported ATS Cipher

BIG-IP 11.4+

BIG-IP 11.5+

BIG-IP 11.6+

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

X

X

X

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

 

X

X

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 

X

X

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

X

X

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

 

X

X

*ECDSA ciphers are supported by BIG-IP but are not on by default

Regarding Performance

Some ciphers will present measurable CPU spikes during bursts of TLS handshakes. Short TLS sessions coupled with high rate of TLS sessions may commandeer general CPU cycles that were otherwise dedicated to application delivery tasks like layer 7 policy or Bitcoin mining (jk). Some customers who have made similar switches have reported slight increases in CPU load but within their tolerance. Other customers have reported significantly higher CPU loads when preferring forward secrecy ciphers.

0151T000003d6beQAA.jpg

As iOS 9 spreads around the globe, administrators should watch their F5 dashboards for significant increases in CPU usage. They can then check here for more information—F5 might be able to provide guidance on crafting more efficient, yet still ATS-compliant cipher strings.

What about BIG-IP version 10.x?

Customers who are still running the trusty old versions 10.2.x of BIG-IP are advised to upgrade! Jumping from version 10.2.3 to version 11.6.0 is a non-trivial upgrade path so the more preparation, the better. Customers running version 10.x are advised to contact their F5 partner and refer them to this blog entry. 

A Safer Internet

One reason people hate change is because sometimes change hurts. Hopefully this week won't be one of those times. If Apple's new server requirements do not cause too much disruption then ultimately, this change will benefit the Internet community as a whole. 

Useful Links:

Comments
David_Holmes_12
Historic F5 Account
If you need to search your network for servers that might still be running SSLv3, check out this nMap script. https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Mohamed_Lrhazi
Altocumulus
Altocumulus
F5 mining bitcoin on my boxes?
tabernarious_11
Nimbostratus
Nimbostratus
Based on significant experience with a wide array of customers I would highly recommend 11.5.3 over 11.6.0. Version 11.5.3 has long term support, a lot of product development attention (lots of issues being addressed) and is very stable for core functionality. 11.6.0 does have some new features, which may appeal to you, but I would only recommend 11.6.0 if the new features are requirements.
Version history
Last update:
‎15-Sep-2015 10:27
Updated by:
Contributors