IBM has traditionally portrayed itself as a key vendor of secure and reliable software. 

And after all, there must be shown a save way to prevent the fallback to ssl 3! I am missing this for the TLS- solution with the ihs on Domino9.

Here is the very first sign from IBM:

https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerability_in_sslv3_affects_ibm_http_server_cve_2014_3566?lang=en_us

This could be one of the hardest challenges - not only for IBM.

https://www-304.ibm.com/connections/blogs/PSIRT/entry/sslv3_vulnerable_to_cve_2014_3566_poodle_attack?lang=en_us

Marcin - Do you work for IBM?

If I advise all my customers to disable SSLv3 in Domino they will no longer be able to establish a secure HTTP/SMTP/LDAP/IMAP etc session with the server!!!!

They will very soon decide that moving to another product is the right way for them! Please speak to your managers and address this issue directly... They are waiting for an official IBM response that directly answers their concerns regarding Domino, not a woolly general statement that would end with them not able to connect to their servers.

Thanks for the messages, Mr. Kern and Mr. Miszkiel !

We eagerly await more information.

THIS IS NOT AN OFFICIAL IBM STATEMENT

For those who are unwilling / unable to wait for IBM's official statement on this, Domino can be configured with an IBM IHS server to support TLS connections from end users. NOTE: This IHS server module is supported only on Windows.

This  document outlines the methodology: http://www-01.ibm.com/support/docview.wss?uid=swg27039743&aid=1.

This technote outlines setting it up on the same machine:  http://www-01.ibm.com/support/docview.wss?uid=swg21612316.

Remember you will also need to use the "SSLProtocolDisable SSLv3" configuration parameter in the IHS server config to disable SSLv3 or use other parameters to disable affected modes (if that's even possible - POODLE affects padding on  CBC encryption modes, although I cannot state if modes like ECB are immune , and they may also suffer from other catastrphic secruity flaws. Still,  this is potentially an option if your  clients cannot support TLS). I would also recommend taking out SSLv2 - given attacks like BEAST etc.

If setting up this approach you should also cosider making sure your Domino servers are only accessible by the IHS server (i.e. firewall off other connections, if using the same machine, bind domino only to localhost).

Once again - THIS IS NOT AN OFFICIAL IBM STATEMENT AND THIS APPROACH MAY NOT BE SUPPORTED.

Our ISP shut down all our Outbound mail due to lack of support for TLS over SMTP. This is unacceptable for us and I would assume for just about any company. Thus we had to route all our mail directly to the Internet which by-passed all the security features we were paying for from our ISP. They have since patched to let us back in but we were down for about 2 hours yesterday, UNACCEPTABLE!

IBM please pay attention to those of use using Domino for our SMTP gateway. IHS is for HTTP only. A support rep from IBM sent us an email telling us to configure IHS for TLS for our SMTP server. I was shocked at the lack of knowledge about this.

Please do NOT forget many of us need a fix for TLS for SMTP SMTP SMTP SMTP SMTP SMTP SMTP!!!!

I have been working with IBM Support for the past two weeks to enable the IHS server on the Domino server for HTTP. So far, we have success at getting port 80 traffic through IHS to the Domino server, and are still trying to get port 443 traffic from IHS through to the Domino server - we get an error message - The Connection was Interrupted in FireFox

We used the IKeyMan utility to get the SSL certificates into the IHS system - the Domino keyring files are not used in this configuration.

Here are links to some of this, and I will post more as this evolves.

Google will start flagging this in browsers Nov1, and the the others will follow suit shortly

Here are some links for troubleshooting tips.

Open Mic Webcast: Implementing TLS support with IBM Domino 9.x and IBM HTTP Server (IHS) - 19 November 2013 (Q&A, presentation, audio recording)
http://www-01.ibm.com/support/docview.wss?uid=swg27039743

IBM HTTP SSL Server Questions and Answers
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html

Is it possible to run IBM HTTP Server (IHS) on the same computer as a Domino server?
http://www-01.ibm.com/support/docview.wss?uid=swg21612316

Installing the IBM HTTP server module to support TLS
http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/caa25dc9fd95076b85257b19005b3894?OpenDocument&Highlight=0,Installing,the,IBM,HTTP,server,module,to,support,TLS
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

IKeyMan SSL Setup

http://www-01.ibm.com/support/docview.wss?uid=swg21006430
 

Let's hope IBM is using the Traveler team's development mindset when coming up with the fixes, "it just works.... you don't have to screw with it endlessly"

This thread is the #1 hit when you Google "Poodle Domino IBM" so it would be a good place to update some status. Dave K., as always your input is appreciated but do we have an official word from IBM yet (maybe I missed it)? Right or wrong, I have customers that are freaking out.

Thanks!

We require TLS and SHA-2 asap, even on Domino8.5.x !!

As IBM haven't responded yet... Here are the latest updates that I have found:

http://www-01.ibm.com/support/docview.wss?uid=swg21418982

http://www-01.ibm.com/support/docview.wss?uid=swg21687167

FWIW, we installed the reverse proxy IBM HTTP server on our test machine (win 2008 R2) without any problems so far, and removed SSLv3 without issues.  I just thought I'd mention, since others had reported difficulties.

We'd been warned there was a bug where IHS would quit if an admin logged into the server and then logged out, but we have not seen this problem.  The proxy server is 32-bit, but works fine with our 64-bit 9.01FP1 domino server (so far).

We have not done any heavy-duty testing, just "does it work" testing.

Regarding this post made above by Shaun Gibbs (21 Oct 2014 11:25)

As IBM haven't responded yet... Here are the latest updates that I have found:

http://www-01.ibm.com/support/docview.wss?uid=swg21418982

http://www-01.ibm.com/support/docview.wss?uid=swg21687167

I'd like to point out that both links above (i.e. Technotes 1687167 and 1418982) are official IBM statements, please note the following exerpt from Technote 1687167 - How is IBM Domino impacted by the POODLE attack?:

IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack. Implementing TLS 1.0 for Domino will protect against the POODLE attack and will allow browsers to still connect to Domino after they have been changed to address the POODLE attack.

On a related note, and I stress this is NOT a commitment from IBM, but we are being told internally ..."We do not have the specific date when these fixes will be available, however the plan is to have them available for your customers well in advance of 25 Nov 2014." (emphasis provided in original internal blogpost - not my own).

Official tweets on the matter have been made by @IBM_ICSSupport - see https://twitter.com/IBM_ICSsupport/status/524571319803731968 and https://twitter.com/IBM_ICSsupport/status/524571629628575745 which refer to the above links.

Finally, and I'm sorry I have to do this, but...  IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Can we expect additional statements about TLS support for other functions like SMTP and LDAP or is IBM only planning TLS support for HTTP?

"With this Interim Fix, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP."

Thank you for this Information! :-) But what is the SSL-security level if i call an URL with the Microsoft ServerXMLHTTP-Object via LotusScript? As far as i know, the encryption comes from the application which calls this dll. It would be nice if there was a statement from IBM.

Thanks!

Bernd

Here is a workaround for email rejections that worked for one of my clients:

Add to the sending Domino server's notes.ini:

RouterFallbackNonTLS=1

This might not be acceptable long-term, but at least it got the receiving server to quit rejecting messages.

Any updates on when IBM will release this interim fix?

Just discovered this vulnerability on our PCI network scan

"SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)"

:o

Any updates on when IBM will release this interim fix?

Just discovered this vulnerability on our PCI network scan

"SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)"

:o

Hi all,

Like Jeff and Simon, I am waiting for Domino to release TLS 1.0 for SMTP.

We recently stopped receiving emails from a certain company. It was hard to troubleshoot as the company that was unable to send us emails was the local branch of an international company and their email was hosted on a foreign provider. And they did not have local IT staff. After a lot of asking around we managed to get a server log extract with the technical reason for the failure: "TLS handshake failed."

And that is what brought me here...

Now if only IBM had sent us a communiqué to inform us about this vulnerability, maybe we would not have wasted days trying to figure out the problem...and lost important emails in the process...

And that would also have prevented a lot of user frustration.

I get lots of emails from IBM (e.g. Open Mic Webcast, Ask the Experts session). The last one I received was "IBM explores the next wave of technology." on the 27/10/14. I find it disturbing that when there is an issue that might affect mail delivery (which is critical), IBM did not notify us of this.

Also, is Traveler affected?

I found this: http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=8906EA6748C9CFFC85257D7B0032AD66

But what about Android, BlackBerry 10 and Windows phone devices?

Kind regards.

TLS 1.0 is standard since 1999 (RFC 2246).

IBM, you have slept through the last 15 years. It is YOUR FAULT that you didn't implement it earlier. Shame on you!

SSL 3.0 is dead.

Announcing a fix for the "next several weeks" (this can also be half a year) is NOT ENOUGH!

Finally get your ass up! And fix this. IMMEDIATELY!!!!!!!!

Does this 8.5.3 FP6 fix this POODLE vulnerability?!

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

Does this 8.5.3 FP6 fix this POODLE vulnerability?!

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

Hi Kelvin,

I get an Error 500 when I try to open the links you have posted.

I think you should check this out:

http://www-01.ibm.com/support/docview.wss?uid=swg21663874 (Interim Fixes for 8.5.3 Fix Pack 6 IBM Notes, IBM Domino & IBM iNotes)

Kind regards.

Hello,

PayPal has announced, that they will terminate the SSL3.0 at 3.12.2014. So i will repeat my question about the Microsoft ServerXMLHTTP-Object via LotusScript. The direction from PayPal to the Domino system will work with the apache based http-server. But the request from domino to PayPal? Thanks for any information!

Bernd

ServerXMLhttp does not use the domino http stack.  It uses winhttp, which appears to support tls v1.2.  

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384266(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384066(v=vs.85).aspx

see option

WINHTTP_OPTION_SECURE_PROTOCOLS