Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > IBM Notes and Domino Interim Fixes to support TLS 1.2
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

IBM Notes and Domino Interim Fixes to support TLS 1.2

IBM Notes 9.0.1 FP3 IF3 and IBM Domino 9.0.1 FP3 IF2 provide support for Transport Layer Security version 1.2

Generating a SHA-2 Keyring file

Generating a SHA-2 keyring file

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Generate a SHA-2 certificate using a 3rd party CA with OpenSSL and KYRTool on a Windows workstation

IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack

IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack
Community articleIBM Notes and Domino Interim Fixes to support TLS 1.2
Added by ~Keiko Kinibergoden | Edited by ~Keiko Kinibergoden on April 9, 2015 | Version 10
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
IBM Notes 9.0.1 FP3 IF3 and IBM Domino 9.0.1 FP3 IF2 provide support for Transport Layer Security version 1.2
Tags: SHA-2, SSL, TLS


As follow up to delivery of Transport Layer Security (TLS) 1.0 support in 4Q2014, this page introduces TLS 1.2 support in Notes 9.0.1 FP3 IF 3 and Domino 9.0.1 FP3 IF2. See the Interim Fix section below for links to the Interim Fixes. Installing this fix on your 9.0.1 FP3 Domino server and/or Notes client will enable TLS 1.2 across all of the following protocols: HTTP, SMTP, LDAP, POP3 and IMAP (inbound and outbound). As in the previous TLS 1.0 interim fix, no additional configuration is required to set up TLS 1.2. With this interim fix. clients and servers previously configured for SSL or for TLS 1.0 will connect with browsers (and other SSL/TLS clients and servers) that request a TLS connection using the newer version of the protocol TLS 1.2, negotiating the highest version mutually supported. Likewise, for purposes of backwards compatibility, this Interim Fix continues to support SSL V3 connections by default.

To install and configure Notes or Domino 9.0.1 FP3 to use TLS 1.2
1) Bring down your Notes client or Domino server
2) Apply the appropriate interim fix for your platform
3) Bring up your client or server

To test it, hit the server with a browser running TLS 1.2

In addition to the features provided in Notes and Domino TLS 1.0 Interim Fix, this Interim Fix adds support for
  • Notes / Domino Support for TLS 1.2 with protocols: HTTP, SMTP, LDAP, POP3 & IMAP.
  • Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS
  • Authenticated Encryption with Associated Data (AEAD) including Advanced Encryption Standard (AES) Galois/Counter Mode and SHA-256 cipher specs for increased security with TLS 1.2
  • New notes.ini SSL_DISABLE_TLS_10 to support disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP
  • More detailed logging for SSL/TLS connections to help diagnose failed connections including events such as
  • TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client
    TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available
    Add IP Information to HTTP Thread logs for TLS Handshake connections
  • Implement Http Strict Transport Security (HSTS).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS) and helps to prevent downgrade attacks
The following SPR fixes are also included:
DKEN9RVQGD - kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part
MKIN9QHT5W - Passing a directory to kyrtool will crash the tool
KLYH9UQJQN - Remove RC4-SHA from the default cipher list for TLS 1.2

Please note that:
  1. Java support for TLS 1.2 (including the JVM bundled with Notes and Domino) is available in a separate fix. Please see this Security Bulletin for more information.
  2. TLS support for DIIOP is not available at this time and is tracked as SPR ITDL9U329W.
  3. These Interim Fixes do not implement TLS 1.1 and IBM has no plans to implement this at this time.
  4. Since Interim Fixes do not permit changes to the user interface or to templates used for configuration (e.g. Domino server document, Internet site document where SSL is configured), all SSL configuration options remain in the UI. However, as mentioned above, the installation of this Interim Fix will override your existing configuration with support for TLS 1.2


Interim Fix for TLS 1.2

Domino 9.0.1 FP3 IF2
Platform
Fix Central ID (link)
W32
DominoServer_901FP3IF2_W32
W64
DominoServer_901FP3IF2_W64
Linux
DominoServer_901FP3IF2_Linux
Linux64
DominoServer_901FP3IF2_Linux64
AIX32
DominoServer_901FP3IF2_AIX32
AIX64
DominoServer_901FP3IF2_AIX64
IBM i 6.1, 7.1 & 7.2
DominoServer_901FP3IF2_IBMi_6.1_7.1
System z
DominoServer_901FP3IF2_zSeries

Notes 9.0.1 FP3 IF3
Platform
Fix Central ID (link)
W32 - Basic
Notes_901FP3IF3_W32_Basic
W32 - Standard
Notes_901FP3IF3_W32_Standard
MAC - Standard
Notes_901FP3IF3_MAC_Standard
Linux
Notes_901FP3IF3_Linux_BinaryFiles


Related Links
TLS Cipher Configuration http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
Domino Web Server keyring still using MD5 may cause TLS 1.2 handshake failure http://www.ibm.com/support/docview.wss?uid=swg21701159
IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
How is IBM Domino impacted by the POODLE attack? http://www.ibm.com/support/docview.wss?uid=swg21687167
What are IBM's plans for IBM Domino 9.x support of SHA2? http://www.ibm.com/support/docview.wss?uid=swg21418982
Quick guide to securing a Domino server with SSL using the CA process http://www.ibm.com/support/docview.wss?uid=swg21193730
Domino server-based certification authority http://www.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_dominoserverbasedcertificationauthority_c.dita
How to renew an SSL certificate stamped by a third-party Certification Authority http://www.ibm.com/support/docview.wss?uid=swg21210804
Domino Certification Authority Tutorial http://www.ibm.com/support/docview.wss?rs=463&uid=swg27006424
Generating a SHA-2 Keyring file http://www.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring?open
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool http://www.lotus.com/ldd/dominowiki.nsf/dx/Self-signed_SHA-2_with_OpenSSL_and_kyrtool?open
Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool http://www.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
Installing and Running the Domino keyring tool http://www.lotus.com/ldd/dominowiki.nsf/dx/kyrtool?open
Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730) http://www.ibm.com/support/docview.wss?uid=swg21693142

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (10)Apr 9, 2015, 5:49:34 PM~Keiko Kinibergoden  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility