- Server must be configured for HTTPS
- The server certificate must not be expired or invalid
- Server certificate CN or SAN must contain the hostname used by mobile apps or must be a wildcard of same domain
- Connections must be negotiated in TLS 1.2
- The server certificate must be trusted by mobile apps and either the CA must be trusted or installed on the device
- The negotiated TLS connections cipher suite must support forward secrecy and must be one of the following : TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- The leaf server certificate must be signed with one of the following types of keys RSA 2048 bits or ECC/ECDSA 256 bits
- The leaf certificate hashing algorithm must be SHA-256 or greater
I think all of this request during 2016/2017 are absolutely resonable but if you haven't payed attention to your IBM Traveler or SSL certiticate during last year you have to check the situation to be sure to be up&running after 1 Jan 2017.
This requirement for example means if you have domino directly exposed over internet must be at least 9.01 FP5 and the Android devices older than 4.1 will be unsupported because TLS 1.2.