Apple is dropping new versions of its popular iOS and OS X operating systems. iOS Version 9 for iPhones, iPod Touches, and iPads arrives Wednesday, September 16, 2015.  Version 10.11 of OS X will land about a week later.

Both versions will be promoting a more strict set of cryptographic requirements within their application libraries.

According to this iOS 9.0 technote, by default, applications (“apps”) that use Apple’s underlying communication libraries will now require the following cryptographic characteristics for all new network connections:

  • The server must support at least TLS version 1.2.
  • Connection ciphers are limited to those that provide forward secrecy.
  • Certificates with weak signatures will result in a hard failure and no connection. Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048-bit or greater RSA key or a 256-bit or greater Elliptic Curve Cryptography (ECC) key.

Because the new requirements are on by default in the App Transport Security (ATS) library, they will improve the security of network communication for the vast library of applications in the Apple ecosystem. 

Application developers can override these defaults (if they wish) and weaken their application's security posture by pushing out a single XML file to their mobile clients. But hopefully that won’t be necessary.

It is not clear yet whether some of the popular Apple apps such as the Mail client or Safari will have these requirements. It is assumed not since they weren’t mentioned, but the world won’t know for sure until Wednesday.

How does this affect F5 customers?

F5 customers who publish an application in the Apple App Store will need to pay heed. Those who don’t have apps in the Apple store also need to pay heed. Some apps will connect to third party servers (for example, ad server networks) to retrieve content. Any site that might have Apple application traffic is advised to watch for traffic reduction starting on Wednesday.

In order to meet the new Apple ATS requirements, an F5 customer should be running BIG-IP versions 11.5.0+ or 11.6.0+. According to DC user and article ghost writer David Remington, the minimum required version is 11.4.0+, which will suffice but has only the single ATS-compatible cipher.

Supported ATS Cipher

BIG-IP 11.4+

BIG-IP 11.5+

BIG-IP 11.6+

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

X

X

X

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

 

X

X

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

 

X

X

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 

X

X

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 

X

X

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

 

X

X

*ECDSA ciphers are supported by BIG-IP but are not on by default

Regarding Performance

Some ciphers will present measurable CPU spikes during bursts of TLS handshakes. Short TLS sessions coupled with high rate of TLS sessions may commandeer general CPU cycles that were otherwise dedicated to application delivery tasks like layer 7 policy or Bitcoin mining (jk). Some customers who have made similar switches have reported slight increases in CPU load but within their tolerance. Other customers have reported significantly higher CPU loads when preferring forward secrecy ciphers.

As iOS 9 spreads around the globe, administrators should watch their F5 dashboards for significant increases in CPU usage. They can then check here for more information—F5 might be able to provide guidance on crafting more efficient, yet still ATS-compliant cipher strings.

What about BIG-IP version 10.x?

Customers who are still running the trusty old versions 10.2.x of BIG-IP are advised to upgrade! Jumping from version 10.2.3 to version 11.6.0 is a non-trivial upgrade path so the more preparation, the better. Customers running version 10.x are advised to contact their F5 partner and refer them to this blog entry. 

A Safer Internet

One reason people hate change is because sometimes change hurts. Hopefully this week won't be one of those times. If Apple's new server requirements do not cause too much disruption then ultimately, this change will benefit the Internet community as a whole. 

Useful Links: