As follow up to delivery of Transport Layer Security (TLS) 1.0 support in 4Q2014, this page introduces TLS 1.2 support in Notes 9.0.1 FP3 IF 3 and Domino 9.0.1 FP3 IF2. See the Interim Fix section below for links to the Interim Fixes. Installing this fix on your 9.0.1 FP3 Domino server and/or Notes client will enable TLS 1.2 across all of the following protocols: HTTP, SMTP, LDAP, POP3 and IMAP (inbound and outbound). As in the previous TLS 1.0 interim fix, no additional configuration is required to set up TLS 1.2. With this interim fix. clients and servers previously configured for SSL or for TLS 1.0 will connect with browsers (and other SSL/TLS clients and servers) that request a TLS connection using the newer version of the protocol TLS 1.2, negotiating the highest version mutually supported. Likewise, for purposes of backwards compatibility, this Interim Fix continues to support SSL V3 connections by default.
To install and configure Notes or Domino 9.0.1 FP3 to use TLS 1.2
1) Bring down your Notes client or Domino server
2) Apply the appropriate interim fix for your platform
3) Bring up your client or server
To test it, hit the server with a browser running TLS 1.2
In addition to the features provided in
Notes and Domino TLS 1.0 Interim Fix, this Interim Fix adds support for
- Notes / Domino Support for TLS 1.2 with protocols: HTTP, SMTP, LDAP, POP3 & IMAP.
- Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS
- Authenticated Encryption with Associated Data (AEAD) including Advanced Encryption Standard (AES) Galois/Counter Mode and SHA-256 cipher specs for increased security with TLS 1.2
- New notes.ini SSL_DISABLE_TLS_10 to support disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP
- More detailed logging for SSL/TLS connections to help diagnose failed connections including events such as
TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client
TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available
Add IP Information to HTTP Thread logs for TLS Handshake connections
- Implement Http Strict Transport Security (HSTS).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS) and helps to prevent downgrade attacks
The following SPR fixes are also included:
DKEN9RVQGD - kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part
MKIN9QHT5W - Passing a directory to kyrtool will crash the tool
KLYH9UQJQN - Remove RC4-SHA from the default cipher list for TLS 1.2
Please note that:
- Java support for TLS 1.2 (including the JVM bundled with Notes and Domino) is available in a separate fix. Please see this Security Bulletin for more information.
- TLS support for DIIOP is not available at this time and is tracked as SPR ITDL9U329W.
- These Interim Fixes do not implement TLS 1.1 and IBM has no plans to implement this at this time.
- Since Interim Fixes do not permit changes to the user interface or to templates used for configuration (e.g. Domino server document, Internet site document where SSL is configured), all SSL configuration options remain in the UI. However, as mentioned above, the installation of this Interim Fix will override your existing configuration with support for TLS 1.2
Interim Fix for TLS 1.2
Domino 9.0.1 FP3 IF2
Platform | Fix Central ID (link) |
W32 | |
W64 | |
Linux | |
Linux64 | |
AIX32 | |
AIX64 | |
IBM i 6.1, 7.1 & 7.2 | |
System z | |
Notes 9.0.1 FP3 IF3
Platform | Fix Central ID (link) |
W32 - Basic | |
W32 - Standard | |
MAC - Standard | |
Linux | |
Related Links
TLS Cipher Configuration
http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
Domino Web Server keyring still using MD5 may cause TLS 1.2 handshake failure
http://www.ibm.com/support/docview.wss?uid=swg21701159
IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
How is IBM Domino impacted by the POODLE attack?
http://www.ibm.com/support/docview.wss?uid=swg21687167
What are IBM's plans for IBM Domino 9.x support of SHA2?
http://www.ibm.com/support/docview.wss?uid=swg21418982
Quick guide to securing a Domino server with SSL using the CA process
http://www.ibm.com/support/docview.wss?uid=swg21193730
Domino server-based certification authority
http://www.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_dominoserverbasedcertificationauthority_c.dita
How to renew an SSL certificate stamped by a third-party Certification Authority
http://www.ibm.com/support/docview.wss?uid=swg21210804
Domino Certification Authority Tutorial
http://www.ibm.com/support/docview.wss?rs=463&uid=swg27006424
Generating a SHA-2 Keyring file
http://www.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring?open
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
http://www.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool?open
Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool
http://www.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
Installing and Running the Domino keyring tool
http://www.lotus.com/ldd/dominowiki.nsf/dx/kyrtool?open
Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730)
http://www.ibm.com/support/docview.wss?uid=swg21693142