|
This article describes how to configure SSL/TLS cipher specifications in IBM Domino 9.0.1 FP5
|
ShowTable of Contents Introduction
Delivering TLS 1.2 functionality as an Interim Fix (IF) once the functionality was ready instead of waiting for the next feature release of IBM Domino prevented us from changing any strings or editing any templates. In particular, the existing SSL configuration settings in Server documents and in Internet site documents were not altered and therefore they can no longer be used to specify what protocol versions and ciphers can be used for SSL/TLS. The protocol version configuration settings have not been used since the Interim Fixes that introduced TLS 1.0 removed SSLv2 support entirely from the product. The cipher configuration settings are no longer being used starting with the Interim Fix that introduces TLS 1.2 support because they offer up a host of weak ciphers but none of the stronger algorithms that use AES-GCM, SHA256, and/or PFS.
Default settings have been chosen such that all that an administrator needs to do to have a server configured to use TLS 1.2 and strong, modern ciphers is to install the most recent version of Domino. Explicit configuration is necessary only for those with requirements to disable SSLv3 or TLS 1.0, disable stronger but slower ciphers, or re-enable weak ciphers.
This article describes how administrators can configure SSL/TLS cipher specifications in Domino 9.0.1 FP5 and FP4 IF2 without using the no-longer-functional settings in the public directory.
Default Cipher ListWhen using TLS 1.2
- ECDHE_RSA_WITH_AES_256_GCM_SHA384 (C030)
- DHE_RSA_WITH_AES_256_GCM_SHA384 (009F)
- ECDHE_RSA_WITH_AES_128_GCM_SHA256 (C02F)
- DHE_RSA_WITH_AES_128_GCM_SHA256 (009E)
- ECDHE_RSA_WITH_AES_256_CBC_SHA384 (C028)
- DHE_RSA_WITH_AES_256_CBC_SHA256 (006B)
- ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)
- DHE_RSA_WITH_AES_256_CBC_SHA (0039)
- ECDHE_RSA_WITH_AES_128_CBC_SHA256 (C027)
- DHE_RSA_WITH_AES_128_CBC_SHA256 (0067)
- ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
- RSA_WITH_AES_256_GCM_SHA384 (009D)
- RSA_WITH_AES_128_GCM_SHA256 (009C)
- RSA_WITH_AES_256_CBC_SHA256 (003D)
- RSA_WITH_AES_256_CBC_SHA (0035)
- RSA_WITH_AES_128_CBC_SHA256 (003C)
- RSA_WITH_AES_128_CBC_SHA (002F)
- RSA_WITH_3DES_EDE_CBC_SHA (000A)
When using TLS 1.0 or SSLv3
- ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)
- DHE_RSA_WITH_AES_256_CBC_SHA (0039)
- ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
- RSA_WITH_AES_256_CBC_SHA (0035)
- RSA_WITH_AES_128_CBC_SHA (002F)
- RSA_WITH_3DES_EDE_CBC_SHA (000A)
Notes
- Starting with 9.0.1 FP3 IF2, Domino will select the mutually supported cipher that it prefers most instead of the cipher preferred by the client. Administrators can revert to the old behavior by setting SSL_USE_CLIENT_CIPHER_ORDER=1 in the server's notes.ini file.
- Starting in 9.0.1 FP4, RC4-SHA is only enabled by default if TLS 1.2 support has been disabled by the administrator, and since this is the last cipher on the ordered list, it will be used only if the alternative is sending the data in the clear.
SSLCipherSpec
Administrators can use the SSLCipherSpec notes.ini variable to configure the ciphers that they desire instead of using the default ciphers. This notes.ini variable will completely override the default cipher list, so to remove one of the default ciphers, add an SSLCipherSpec that includes all of the default ciphers except the one to be removed. The order of cipher values in that notes.ini parameter does not matter. To enter multiple ciphers, enter each four hex digit cipher specification value, including leading zeros. Do not include spaces between values or parentheses. Existing SSLCipherSpec's that only use the two hex digit format will continue to work. For example, to only enable the 256 bit AES-GCM ciphers (not a recommended configuration), use:
SSLCipherSpec=C030009F009D
Complete Ordered Cipher ListTLS 1.2:
- ECDHE_RSA_WITH_AES_256_GCM_SHA384 (C030)
- DHE_RSA_WITH_AES_256_GCM_SHA384 (009F)
- ECDHE_RSA_WITH_AES_128_GCM_SHA256 (C02F)
- DHE_RSA_WITH_AES_128_GCM_SHA256 (009E)
- ECDHE_RSA_WITH_AES_256_CBC_SHA384 (C028)
- DHE_RSA_WITH_AES_256_CBC_SHA256 (006B)
- ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)
- DHE_RSA_WITH_AES_256_CBC_SHA (0039)
- ECDHE_RSA_WITH_AES_128_CBC_SHA256 (C027)
- DHE_RSA_WITH_AES_128_CBC_SHA256 (0067)
- ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
- RSA_WITH_AES_256_GCM_SHA384 (009D)
- RSA_WITH_AES_128_GCM_SHA256 (009C)
- RSA_WITH_AES_256_CBC_SHA256 (003D)
- RSA_WITH_AES_256_CBC_SHA (0035)
- RSA_WITH_AES_128_CBC_SHA256 (003C)
- RSA_WITH_AES_128_CBC_SHA (002F)
- RSA_WITH_3DES_EDE_CBC_SHA (000A)
- RSA_WITH_RC4_128_SHA (0005)
TLS 1.0 / SSLv3
- ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)
- DHE_RSA_WITH_AES_256_CBC_SHA (0039)
- ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
- RSA_WITH_AES_256_CBC_SHA (0035)
- RSA_WITH_AES_128_CBC_SHA (002F)
- RSA_WITH_3DES_EDE_CBC_SHA (000A)
- RSA_WITH_RC4_128_SHA (0005)
Notes:===
- Ciphers that provide Forward Secrecy are prioritized over ciphers that do not per current OWASP recommendations.
- ECDHE ciphers are prioritized over the equivalent DHE ciphers to improve performance
- AES128-GCM ciphers are preferred over the equivalent AES256-CBC ciphers per current OWASP recommendations.
- Weak ciphers are deliberately not shown on the lists above. The USE_WEAK_SSL_CIPHERS=1 notes.ini parameter must be used before any weak ciphers can be configured. We recommend against enabling any weak ciphers.
- We strongly recommend against using RC4 ciphers in order to protect against the "RC4 Bar Mitzvah" attack. Even if RC4-SHA (0005) is enabled, Domino will only negotiate that cipher if all of the higher-priority ciphers are not supported by the connecting client.
- RC4-SHA will be added to the list of weak ciphers in a future release.
Forward Secrecy
The DHE and ECDHE ciphers use Finite Field and Elliptic Curve Ephemeral Diffie-Hellman to provide Perfect Forward Secrecy (PFS), which protect against an attacker capable of passively recording all of the network traffic flowing into a server from later acquiring the server's private key and decrypting all of that recorded traffic. These ciphers significantly increase the security of your SSL/TLS traffic, at the cost of a potentially significant performance impact.
ECDHE Curves
NIST P-256, NIST P-384, and NIST P-521 are supported. The fastest (smallest) mutually supported curve will be chosen by the Domino server as per standard practice. Individual curves can be disabled via SSL_DISABLE_CURVE_P256=1, SSL_DISABLE_CURVE_P384=1, and SSL_DISABLE_CURVE_P521=1. We recommend disabling all ECDHE ciphers if all curves are disabled to improve performance.
DHE Groups
The minimum size for well-known DH groups has been increased to 2048 bits in Domino 9.0.1 FP4 IF2 to better protect against the Logjam attack, except for DHE_RSA_WITH_AES_128_CBC_SHA which will always use a 1024 bit group for compatibility with Java 6. That cipher has been added to the list of weak ciphers.
Custom DH groups are supported starting in 9.0.1 FP4 IF2 via the SSL_DH_PARAMS notes.ini. Setting that ini to a PEM-encoded DH Parameters file will cause Domino to use that custom group instead of a standard group. 1024 bit custom groups are allowed, but we recommend regenerating 1024 bit custom groups on a regular basis.
SSL_DH_PARAMS=c:\dhparams1024.pem
Sample 1024 bit DH params:
-----BEGIN DH PARAMETERS-----
MIGHAoGBAN3Cks7CkjenR9zeF+pPSGgWZfI7hoOD5wDNi+CNttIxcU1nruMFXxD7
zsMHoRpwbohcVsrIz1kk1Avn4v7b7/UMXFq3TD2XYeHkj0I5DPEWal5kR0LH+HrC
fbsGob/ttDcmKlWYcMDMW4Y+a5cQYEN7BWE2fsJBlITgehmh32XzAgEC
-----END DH PARAMETERS-----
You can generate a DHParams file with a simple OpenSSL command, such as "openssl dhparam 1024". Be sure to use openssl dhparam instead of openssl dsaparam; the latter does not perform certain checks needed for DH so could generate a weak group.
Domino 9.0.1 FP4 and earlier
This section describes how administrators can configure SSL/TLS cipher specifications in Domino 9.0.1 FP4 without using the no-longer-functional settings in the public directory.
Default Cipher List for Domino 9.0.1 FP4
When using TLS 1.2:
- RSA_WITH_AES_256_GCM_SHA384
- RSA_WITH_AES_128_GCM_SHA256
- RSA_WITH_AES_256_CBC_SHA256
- RSA_WITH_AES_256_CBC_SHA
- RSA_WITH_AES_128_CBC_SHA256
- RSA_WITH_AES_128_CBC_SHA
- RSA_WITH_3DES_EDE_CBC_SHA
When using TLS 1.0 or SSLv3:
- RSA_WITH_AES_256_CBC_SHA
- RSA_WITH_AES_128_CBC_SHA
- RSA_WITH_3DES_EDE_CBC_SHA
Notes:
- Starting with 9.0.1 FP3 IF2, Domino will select the mutually supported cipher that it prefers most instead of the cipher preferred by the client. Administrators can revert to the old behavior by setting SSL_USE_CLIENT_CIPHER_ORDER=1 in the server's notes.ini file.
- Starting in 9.0.1 FP4, RC4-SHA is only enabled by default if TLS 1.2 support has been disabled by the administrator, and since this is the last cipher on the ordered list, it will be used only if the alternative is sending the data in the clear.
SSLCipherSpec
Administrators can use the SSLCipherSpec notes.ini variable to configure the ciphers that they desire instead of using the default ciphers. This notes.ini variable will completely override the default cipher list, so to remove one of the default ciphers, add an SSLCipherSpec that includes all of the default ciphers except the one to be removed. The order of cipher values in that notes.ini parameter does not matter. To enter multiple ciphers, enter each two hex digit cipher specification value, including leading zeros. Do not include spaces between values or parentheses. For example, to enable the default ciphers for TLS 1.2 plus the PFS ciphers (except for DHE_RSA_WITH_AES_128_CBC_SHA, see below for rationale) use:
SSLCipherSpec=9F9E6B39679D9C3D353C2F0A
Complete Ordered Cipher List for Domino 9.0.1 FP4
TLS 1.2:
- DHE_RSA_WITH_AES_256_GCM_SHA384 (9F)
- DHE_RSA_WITH_AES_128_GCM_SHA256 (9E)
- DHE_RSA_WITH_AES_256_CBC_SHA256 (6B)
- DHE_RSA_WITH_AES_256_CBC_SHA (39)
- DHE_RSA_WITH_AES_128_CBC_SHA256 (67)
- RSA_WITH_AES_256_GCM_SHA384 (9D)
- RSA_WITH_AES_128_GCM_SHA256 (9C)
- RSA_WITH_AES_256_CBC_SHA256 (3D)
- RSA_WITH_AES_256_CBC_SHA (35)
- RSA_WITH_AES_128_CBC_SHA256 (3C)
- RSA_WITH_AES_128_CBC_SHA (2F)
- DHE_RSA_WITH_AES_128_CBC_SHA (33)
- RSA_WITH_3DES_EDE_CBC_SHA (0A)
- RSA_WITH_RC4_128_SHA (05)
TLS 1.0 / SSLv3
- DHE_RSA_WITH_AES_256_CBC_SHA (39)
- RSA_WITH_AES_256_CBC_SHA (35)
- RSA_WITH_AES_128_CBC_SHA (2F)
- DHE_RSA_WITH_AES_128_CBC_SHA (33)
- RSA_WITH_3DES_EDE_CBC_SHA (0A)
- RSA_WITH_RC4_128_SHA (05)
Notes:
- All(*) of the ciphers that provide Forward Secrecy (DHE_...) are prioritized over ciphers that do not per current OWASP recommendations.
- The AES128-GCM ciphers are preferred over the equivalent AES256-CBC ciphers per current OWASP recommendations.
- Weak ciphers are deliberately not shown on the lists above. The USE_WEAK_SSL_CIPHERS=1 notes.ini parameter must be used before any weak ciphers can be configured. We recommend against enabling any weak ciphers.
- RC4-MD5 and DES-CBC-SHA have been added to the list of weak ciphers.
- We strongly recommend against using the RC4 ciphers in order to protect against the "RC4 Bar Mitzvah" attack. Even if RC4-SHA (05) is enabled, Domino will only negotiate that cipher if all of the higher-priority ciphers are not supported by the connecting client.
- RC4-SHA will be added to the list of weak ciphers in a future release.
- (*) Domino 9.0.1 FP4 lowered the priority of DHE_RSA_WITH_AES_128_CBC_SHA (33) to beneath RSA_WITH_AES_128_CBC_SHA (2F) to improve compatibility with Java 6/7 and provide additional protection against the Logjam attack.
Forward Secrecy in Domino 9.0.1 FP4
The DHE ciphers use Ephemeral Diffie-Hellman to provide Perfect Forward Secrecy (PFS), which protect against an attacker capable of passively recording all of the network traffic flowing into a server from later acquiring the server's private key and decrypting all of that recorded traffic. These ciphers significantly increase the security of your SSL/TLS traffic, at the cost of a potentially significant performance impact. We recommend load testing in your environment before configuring those ciphers on production systems.
- By default, these ciphers will use a DH key with a size equivalent to the RSA keysize, so a server running with a 2048 bit SSL certificate would use a 2048 bit DH group.
- We strongly agree with NIST SP 800-131a that asymmetric (RSA and DH) keys below 2048 bits should no longer be used.
- The SSL_DH_KEYSIZE notes.ini can be used to select a different size DH group; valid values for Domino 9.0.1 FP4 are 1024, 2048, 3072, and 4096.
- Running with a high DH key size can break compatibility with some old clients such as Java 6 and Java 7 that only support 1024 bit DH.
- Since the only DHE cipher supported by Java 6 and Java 7 is DHE_RSA_WITH_AES_128_CBC_SHA (33), Domino 9.0.1 FP4 will always use a 1024 bit DH group with that cipher in order to avoid interoperability issues with Java 6 and Java 7.
- Domino 9.0.1 FP4 also lowered the priority of DHE_RSA_WITH_AES_128_CBC_SHA (33) to beneath RSA_WITH_AES_128_CBC_SHA (2F) to provide additional protection against the Logjam attack by avoiding use of weak DH groups where feasible.
- When using Domino 9.0.1 FP3 IF2 one can and should disable DHE_RSA_WITH_AES_128_CBC_SHA (33) which should make those old clients fall back to using RSA_WITH_AES_128_CBC_SHA (2F) instead.
- The DEBUG_SSL_DHE notes.ini parameter can be used to print more detail to the server console to help track down incompatibilities, and many SSL/TLS errors are now being recorded in log.nsf.
- The 2048, 3072, and 4096 bit DH groups in 9.0.1 FP4 are taken from draft-ietf-tls-negotiated-ff-dhe-10. The 1024 bit DH group is taken from RFC 2412, "The OAKLEY Key Determination Protocol" section E.2.
|