RSA announces an update to the qualification of the RSA SecurID Software Token 2.2.2 and SDK 2.2 for iOS on Apple iOS 10. This may affect customers who are provisioning software tokens using dynamic seed provisioning (CT-KIP).
Starting with iOS 10, Apple has made security changes to SSL communcation between devices that run iOS 10 and end-point services. Apple has stated the following:
"The RC4 symmetric cipher suite is now disabled by default for all SSL/TLS connections, and SSLv3 is no longer supported in the Secure Transports API. It’s recommended that you stop using the SHA-1 and 3DES cryptographic algorithms as soon as possible."
This change may affect customers who are using CT-KIP to provision software tokens with the RSA SecurID Software Token for iOS.
Note the following:
- RSA Authentication Manager 7.1 does not support this change from Apple and you must upgrade to the latest version of Authentication Manager.
- For RSA Authentication Manager 8.1, please ensure you are on Service Pack 1 Patch 3 or later.
- For RSA Authentication Manager 8.2, no changes are required.
- Your entire Authentication Manager CT-KIP provisioning infrastructure must meet this requirement as well. Non-compliant network appliances, such as firewalls and load balancers, might prevent CT-KIP provisioning requests from reaching the RSA Authentication Manager CT-KIP server. Please contact your appliance vendor for further assistance in ensuring that your appliances meet the Apple requirement.
For more information on the Apple iOS 10 security change, go to https://developer.apple.com/library/content/releasenotes/General/WhatsNewIniOS/Articles/iOS10.html and see the "Security and Privacy Enhancements" section. You may also use free online SSL server tests such as https://www.ssllabs.com/ssltest/index.html to test your end-point server and see where it stands as compared to the requirements set by Apple.