Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

IBM Notes and Domino Interim Fixes to support TLS 1.2

IBM Notes 9.0.1 FP3 IF3 and IBM Domino 9.0.1 FP3 IF2 provide support for Transport Layer Security version 1.2

Generating a SHA-2 Keyring file

Generating a SHA-2 keyring file

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Generate a SHA-2 certificate using a 3rd party CA with OpenSSL and KYRTool on a Windows workstation

IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack

IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
Community articleIBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
Added by ~Keiko Kinibergoden | Edited by ~Keiko Kinibergoden on February 7, 2015 | Version 12
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
Tags: SSL, TLS
Title: IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack

This page introduces IBM Domino support for Transport Layer Security (TLS) 1.0. See the Interim Fix section below for links to the Interim Fixes, available on the latest fix pack of maintenance releases back to 8.5.1. Installing this interim fix on your Domino server will enable TLS 1.0 across the following protocols: HTTP, SMTP, LDAP, POP3 $ IMAP. No additional configuration is required to set up TLS. With this interim fix, Domino servers previously configured for SSL will connect with browsers (and other SSL/TLS clients) that request a TLS connection using TLS 1.0. This interim fix supports TLS_FALLBACK_SCSV to prevent the POODLE downgrade attack: Domino will not permit web browsers that also support TLS_FALLBACK_SCSV TLS to fall back to SSL V3. However, for purposes of interoperability with earlier releases of browsers and other web server clients that do not support TLS, this interim fix continues to support SSL V3 connections. As of 19-Dec-14, this fix addresses not only the October Poodle attack (CVE-2014-3566) but also the subsequent December Poodle attack (CVE-2014-8730). A complete list of features supported by this Interim Fix includes:

Added support for TLS 1.0:
  • Inbound and outbound connections
  • Over all protocols (HTTP, SMTP, LDAP, POP3 & IMAP)
  • All platforms including support for IBM iSeries running System_SSL
  • SSL/TLS Session resumption
  • Client certificate authentication
  • TLS protocol support for TLS_FALLBACK_SCSV Signaling Cipher Suite Value to protect browser clients that also support TLS_FALLBACK_SCSV against downgrade attacks.
  • Will negotiate from TLS 1.0 and SSLv3 if other party does not support TLS 1.0. Note that protocol version *negotiation* is a different thing entirely from protocol *fallback*, as described in POODLE.
  • The cipher suite list offered by Domino when making outbound connections has been re-ordered to place the AES ciphers first.
  • Serviceability enhancements to make logging more thorough and easier to read and understand
  • Prevents both Poodle attacks: CVE-2014-3566 and CVE-2014-8730.

  • Removed support:
    • SSLv2
    • SSL renegotiation has been disabled
    • All weak (<128 bits) cipher suites have been disabled
    Please note that, since Interim Fixes do not permit changes to the user interface or to templates used for configuration (e.g. Domino server document, Internet site document where SSL is configured), all SSL configuration options remain in the UI. However, as mentioned above, the installation of this Interim Fix will override your existing configuration with support for TLS 1.0


    Interim Fix for TLS 1.0

    Fixes for this issue are currently available via the technotes linked below for all platforms except for System z. This technote will be updated again once the System z fixes are available.

    Domino
    Release
    Interim Fix
    Download Links
    9.0.1 Fix Pack 2 Interim Fix 3http://www.ibm.com/support/docview.wss?uid=swg21657963
    9.0 Interim Fix 7http://www.ibm.com/support/docview.wss?uid=swg21653364
    8.5.3 Fix Pack 6 Interim Fix 6http://www.ibm.com/support/docview.wss?uid=swg21663874
    8.5.2 Fix Pack 4 Interim Fix 3http://www.ibm.com/support/docview.wss?uid=swg21589583
    8.5.1 Fix Pack 5 Interim Fix 3http://www.ibm.com/support/docview.wss?uid=swg21595265


    To configure TLS 1.0:
    1) Bring down your server
    2) Install the appropriate Interim Fix
    3) Bring up your Domino server

    To check that your Domino web server is using TLS, use one of the following techniques
    • Access the server with a browser running TLS 1.0. Check the browser connection properties to verify that TLS is used


    • Set DEBUG_SSL_HANDSHAKE=2 in the server's notes.ini. After accessing the Domino web server with a browser using TLS 1.0, search the server console.log for the string 'Protocol Version', which will indicate TLS1.0
    IBM Domino (r) Server (64 Bit), Release 9.0.1, October 14, 2013
    [14155850:00002-00001] 10/31/2014 17:23:41.07 SSL_Handshake> Protocol Version = TLS1.0 (0x301)
    [14155850:00002-00001] 10/31/2014 17:23:41.07 SSL_Handshake> TLS/SSL Handshake completed successfully
    Related Links
    How is IBM Domino impacted by the POODLE attack? http://www.ibm.com/support/docview.wss?uid=swg21687167
    What are IBM's plans for IBM Domino 9.x support of SHA2? http://www.ibm.com/support/docview.wss?uid=swg21418982
    Quick guide to securing a Domino server with SSL using the CA process http://www.ibm.com/support/docview.wss?uid=swg21193730
    Domino server-based certification authority http://www.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_dominoserverbasedcertificationauthority_c.dita
    How to renew an SSL certificate stamped by a third-party Certification Authority http://www.ibm.com/support/docview.wss?uid=swg21210804
    Domino Certification Authority Tutorial http://www.ibm.com/support/docview.wss?rs=463&uid=swg27006424
    Generating a SHA-2 Keyring file http://www.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring?open
    Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool http://www.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool?open
    Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool http://www.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
    Installing and Running the Domino keyring tool http://www.lotus.com/ldd/dominowiki.nsf/dx/kyrtool?open
    Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730) http://www.ibm.com/support/docview.wss?uid=swg21693142

    • Actions Show Menu▼


    expanded Attachments (0)
    collapsed Attachments (0)
    Edit the article to add or modify attachments.
    expanded Versions (1)
    collapsed Versions (1)
    Version Comparison     
    VersionDateChanged by              Summary of changes
    This version (12)Feb 7, 2015, 6:16:30 PM~Keiko Kinibergoden  
    expanded Comments (0)
    collapsed Comments (0)
    Copy and paste this wiki markup to link to this article from another article in this wiki.
    Go ElsewhereStay ConnectedAbout
    • HCL Software
    • HCL Digital Solutions community
    • HCL Software support
    • BlogsDigital Solutions blog
    • Community LinkHCL Software forums and blogs
    • About HCL Software
    • Privacy
    • Accessibility