Apple IOS 9.0 devices rejecting any connection to NAM servers - gives browser warnings that NAM devices using Obsolete cipher suites.

  • 7017486
  • 11-Apr-2016
  • 13-Apr-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1

Situation

With the default NAM setup, user-agents typically negotiate a TLS/SSL connection to the MAG/IDP with AES_128_CBC with HMAC_SHA1 for messaging and RSA for the key exchange protocol. With this default setup in place, Chrome browsers on Apple IOS 9.0 devices reject any connection to our servers, giving browser warnings that we are using Obsolete cipher suites.

Resolution

The following changes must be performed at the Identity and Access Gateway servers:

1) Identity Server
Change the the ciphers section of the IDP server.xml file (/opt/novell/nam/idp/conf/server.xml) to ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256"

 and change sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

With these changes, IOS works and chrome no longer warns of a obsolete cipher.

2) For the Access Gateway, add the following Advanced Options:

# disable weak ciphers
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:ALL:!EDH:

# Only allow TLS protocol version 1.0, 1.1 and 1.2

SSLProtocol -SSLV3 -SSLV2 +TLSv1.2 +TLSv1.1 +TLSv1

# enable PFS using above cipher list with SSLHonorCipherOrder

SSLHonorCipherOrder on