SHA-2 should have been already implemented!

Adding my company to the enhancement request is done.

Hopefully SHA-2 and modern cipher-suites will now be implemented quickly.

Amy, for anyone who believes that using the IBM HTTP server is a viable solution (it's not), please read the article I wrote on the issue. Most importantly, the solution is Windows-only. IBM has many, many customers running Domino on other operating systems.

http://www.mcpressonline.com/commentary/in-the-wheelhouse-ibm-we-have-an-ssl-problem.html

Amy

SHA-2 should have already been implemented a long time ago. IBM is behind and gives competitor ammunition

We need this implemented for Linux and other platform now.  We do not use Windows nor our customers.  The process should be simple and easy for customers and partners to implement.  If Domino is going to be a viable solution for our customers, this clearly needs  to be fixed soon and make sure that the XWork version has this implemented at the same time.  Windows is not a viable options for ISVs like myself.

I tried opening a PMR but the process was too laborious.  

Unfortunately, I am unable to open a PMR.

Please add this feature as an high-priority item on behalf of my company and all my Domino customers.

Thank you.

ABdata, Andy Brunner

The support for SHA-2 in the Domino security core is the most important security feature request.  However, we need a refresh of the security core. There are some more missing security algorithm and features:

Support for TLS 1.2, (Perfect) Forwarded Security and SHA-3?

As you mentioned we do not need a proxy solution (like IHS) or a single solution for one feature (like SHA-2 for S/MIME), we need those features in the native Domino security core for  LDAPS, SMTPS, HTTPS, DIIOPS, POP3S, IMAPS, S/MIME…

btw: Google has anounced to phase out SHA-1 in Chrome

IHS is not an option that many of my customers will accept.

Long overdue - needs to be baked into the product. Many customers asking for it.

I definitely agree that this is fairly crucial if Domino is intended to be a modern product. The HTTP part isn't so important, since reverse proxies are a better setup anyway, but it's vital for those other protocols. Using anything less than the maximum available security options is necessarily insecure, so it makes Domino a poor choice for IMAP/SMTP/LDAP+SSL, protocols where proxying is usually a larger hassle and less advantageous.

I'm a customer but I've no idea how to open a PMR.  We need this feature added please.  One of the whole reasons to use Domino is for SECURITY.

David Leedy

IBM customer. 

Domino needs proper, modern TLS support across all protocols, including SMTP, LDAP, HTTP, POP, IMAP, etc.

What kind of shocks me is that there's any discussion about making this happen. If I had a product in this situition, the only meetings I'd be having is about WHEN the enhancements will be finished. IBM is all about security, except... when it isn't?

and, please... let's not hear anyone at IBM say, 'We've not head that our customers want this."

http://ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenDocument

We will be opening a PMR soon on this issue for our group.  The latest SSL support is a requirement.   I worry there is a problem with Domino because this requirement should not need customers begging for a solution.   

The 2010 R7 APAR summary is "The problem will be fixed in the next release of the product."  Setting up another HTTP server is not a real solution to this problem.  Everytime I see this issue I get spun up again, having dealt with the nonsennse of ikeyman and XP earlier this year.  This is all the proof someone needs that Domino is a dead end at IBM.

Amy, what is the number of customers tied to this enhancement request, and what is the average number of customers tied to a Domino enhancement request?  I'm curious where this particular PMR ranks in the list of recent Domino requests (let's say last 3 years) from customers.

An IBMer posted this in a LinkedIn group.

"The 2009 created SPR has already a weight of 3000+ (never seen such value in 15 years), usually above 200 a SPR gets attention."

I'm wondering how much more feedback is required to get this fix implemented?

It's a shame that IBM hasn't addressed this issue sooner.

It gives the competition some very "cheap" arguments for getting rid of Domino and Domino based solutions due to less secure (incompatible) TLS/HTTPS. Something that could have easily been prevented a long time ago.

So, please add full native SHA-2 support in Domino. Without having to "mess" with a proxy server!

I can't open a PMR on this, so please add me to the list.

Thanks in advance.

/Steve: Thanks.  That's exactly what I was looking for.  I just wanted a barometer for where this fell on the change request list.

I really don't see any valid arguments against this, other than IBM has internally stopped active development on Domino's core functionality.  When customers and partners ask for a security feature for years, it needs addressed.  Even if IBM feels strongly that it isn't needed (which Amy doesn't indicate), you basically say "this is what the people who fund my company want, this is what they will get".  Instead, we got Quickr, Symphony, DB2 for Domino, etc:(

Hi

We need this functionality too. A few month ago we implemented SHA-2 certificates in kyr files in the same way as described by Steve Pitcher, but with a little bad feeling in the stomach knowing that is not officially supported by IBM.

The "new IHS solution" is not an option (as already mentioned above), we need a native implementation. Considering that we are already using SHA-2 certificates in kyr files without any problem and the only real problem seems to be that the "Server Certifcate Admin" (certsrv.nsf) does not support its implementation in a kyr file, I honestly think it should not be a big deal to implement this native SHA-2 enhancement in domino. And please consider also SHA-3!

PMR already opened ;-)

Thanks

Cristian Abate

Should be no discussion :(

SHA-2 is IMPORTANT TO ALL OF US!!!

According to GoDaddy.com, new certificates with expiration dates after January 1, 2017, can only use SHA-2. Code-signing certificates with expiration dates after December 31, 2015, must also use SHA-2. Microsoft is driving all public Certificate Authorities toward adoption of SHA-2 as their default hash function, so whoever you use for SSL certificates will be affected.

I've started looking at this again because Chrome is now going to be dropping support for SHA-1 certificates (see here)

This is going to start throwing up warnings and errors for existing Domino SSL sites starting in a few weeks (Chrome 39), with stronger warnings for later Chrome versions and as people start renewing their certificates.

For those of us running Domino on Linux it looks like we're going to be left behind. There will soon be no supported method for running SSL sites that will work with all browsers.

As above, it's hard to understand why this hasn't been implemented yet. It does look like Domino is effectively being abandoned by IBM, with just basic sticking plaster workarounds for big problems like this.

More and More companies are dropping out support for SHA-1...

Microsoft, Firefox (Link to Bugzilla), Symantic, Digicert....

NIST Special Publication 800-131A (p. 13 for the use of SHA-1)

But no updates from IBM or any other information :-(

Definitely a must for our environment going forward.  We use https with keys from Global SIgn.

Amy please add us to the PMR request.

Murray Croft

Oakmont Limited

IBM, please do take this into account... . Thanks.

I work with multiple customers.  I can't open PMRs for all of them, but will for the ones I can (I love jumping through hoops for something like this that IBM obviously needs to do).  I started submitting this issue at the Connect 2014 conference to the developers.

It is not practical to implement the IBM HTTP server because the Domino Server Certification application can't handle SHA2 certs.

Don't make your customers jump through all these hoops if you can update the Cert Server app and/or add the enhancement to the Domino HTTP server.

It has been quite fast and easy to configure SSL for HTTP on Domino until recently when the major provider of certificates have forces us to the SHA-2 certs.  GoDaddy stopped issuing them over a year ago.  I had to beg them to temporarily issue me an SHA1 cert.  Now that will expire.

The majority of my customers run Domino on the superior OS: Linux

Do it now please and release it in an Interim Fix asap.

I will log another PMR. It's what I'm good at.

The supported cipher suites and key lenghts (and the user interfaces, too ...) of server key rings are behind the competition already for many years.

For the record: on last Lotusphere (Connect 2014) I asked in the "Ask the Developers" session if the key lengths and supported cipher suites (not only of the Domino server as a "client" of a CA but also in the CA included with Domino) could be updated to match current industry standards ... my impression of the reaction of the developers present on stage was that nobody of them had thought about this for years ...

Please give the developers responsible for that product area ENOUGH time to update these parts of the Domino product both correctly and completely!

This is a must have feature and long overdue. Please implement it ASAP.

It's one thing to have an issue, it's another to utterly fail on communicating the status of the issue.

It's nice that we were asked our thoughts on this point, but it would be appropriate to have a response, update, or some such from IBM here.

Thanks!

cpw...

Just to add yet another one to the list I have customers asking why they can't import their renewed certificates as they are being issued only in SHA-2 format unless specifically requested and then only short expiring SHA-1 certificates are being issued.

So before we have to go around an implement unwanted reverse proxy or IHS servers in front of all customer Domino systems so that they continue to use SSL please just support current SSL certificates like has been promised since "fixed in next release" for 7.0.1.  The thing is here we have customers using Domino from 2 users like ourselves, through small businesses with 10-100 users with Domino http stack with SSL in use and then large customers and parts of global corporations with 1000's of users.

Have logged a service request for all the good that will do...

Steve

I just received a reply from my PMR re: current certificates expiring soon, and need support for our iSeries web server.

The reply I received was: 

<quote>

Related to this issue we have an answer from our colleagues from Level 2 that even the future version 10 does not have the support for it yet - and there is an enhancement request even for that version. The enhancement request for SHA-2 is the most needed one in Domino history. The more customers are requesting it, the more chance there is that IBM will put time and money into fixing it. We added your PMR to this very long list. The software problem report number is SPR # ABAI7SASE6 and APAR #LO46492.

</quote>

It sounds like they haven't even committed to supporting SHA-2, let alone putting anyone to work writing any code.

Could you please put me as one of many ones need this function?

I just simply cannot believe it is not supported natively by IBM.

Very disappointed.

Jochen, Nginx sounds like a great HTTP solution but it does not address any of the other Domino services that rely on SSL.

Steve you can use nginx as a smtp and imap/pop3 proxy too. http://wiki.nginx.org/Modules#Mail_modules

Well - now its time fo get this SSL/TLS/SHA-1/SHA-2 web security thing in Domino addressed by IBM with high priority!

New SSL3 Exploit: The POODLE Is Here and Lifting Its Leg

http://www.billmal.com/billmal/billmal.nsf/dx/ssl3.poodle.intro.htm?opendocument

Christoph, thanks for the additional info but it doesn't solve all. I'd appreciate it if we had a supported solution from IBM rather than rolling our own proxy solutions.

Going to nginx reinforces the lack of attention, unacceptable situation and overally sorry state of where Domino HTTPS is right now.

Hi Steve,

you're right and i'm with you. We need a solution from IBM. Not a IHS plugin which only works on Windows, we need security on all protocols and all OS.

Information was only a tipp or workaround and to clarify the complete functionality of nginx.

Regards

Christoph

"At this time, the request to provide full native support for SHA-2 is currently under investigation by the Domino Development team"

Sorry, but this is a joke. SHA-1 is ~20 Years old, SHA-2 already over 10 Years... TLS is also ~15 Years old.

This really is a joke. A bad joke.

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.
http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.
Regards
Mats

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.
http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.
Regards
Mats

Hi,

Yesterday, we lost one customer as their IT department restricted the use of SSLv3 connections on their network and within a few weeks we will probably loose 60% of our users as FireFox and Chrome plan to withdraw SSLv3 support as well.   IBM, we need TLS 1.x really fast!.  We have several Quickr solutions on Domino 8.1 and Domino 8.5.3.  Installing a front-end web server is not feasable for us!

Thanks

Anton

As if the Domino platform doesn't have enough perception problems, the one thing that people always considered it to be good at was security. It was the first widely deployed product to implement public/private key encryption. The fact that we are now in a situation with the POODLE exploit not to mention the horror of getting SHA1 certificates for our servers is disgraceful. I am embarrassed every time I have to tell a company's security team this. Please get a fix out ASAP and make sure it is back ported to at least 8.5.x

The Aug post above gave links to the SPR on SHA-2. However, it's now more critical as Chrome is planning to make our SSL v3 sites w/SHA-1 display with a security warning. This basically makes it like we run self-certs.

There has been a SPR on SHA-1 needing upgrade to SHA-2 for quite some time:

SPR # ABAI7SASE6 (APAR LO48388) 

Now, Red Hat and the other vendors are advising to dump SSL v3 completely and run TLS 1.2 latest on their httpd service. With IHS being only Windows only, no good option for Linux Domino admins, especially if they run multiple domains w/ multiple SSL certs (IPs), the reverse proxy gets really complicated.

I followed the instructions for making the SHA-2 request using OpenSSL and then converting the keys via new GSKit (ikayman) and then using old ikeyman to convert to kyr (keyring files). It worked to give Domino SHA-2 support, but it still failed SHA-1 test at QualSys because evidently, the Domino server still can talk SHA-1 with a SHA-2 set of keys. If I look at the cert in Firefox the SHA-2 key does still have a SHA-1 hash it presents for both an Apache Server and a Domino server, except the Apache server forces only TSL via Apache certificate limitations, and Domino is still vulnerable because it still accepts the SHA-1. So for me the work-around didn't block SHA-1 which is my regulatory requirement. Only a proxy works, and that is complicated in 2 of my set-ups with multiple domains and multiple SSL IPs on the Domino servers.

Bypassing Domino keyring Cert database link of steps we used: http://mindwatering.com/SupportRef.nsf/webpg/310E670B524BEF3985257D7800824F84

Adapt these instructions using the Apache part, but using the certificate / keyring creation of the link above: http://mindwatering.com/SupportRef.nsf/webpg/A9B5147B1A1B7F2D85257D78006709C1

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.

http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.

NO, this does NOT help.

Releasing this fixes will help, but not the announcement.

And "next several weeks" is a very elastic term...

Interim Fixes for TLS 1.0 and SHA-2 seem to have been released today.

Unfortunately, only some are already really downloadable.

The IF for Domino Win32, Win64, AIX and AIX64 are downloadable.

The IF for Domino xLinux, xLinux64, Notes (Client) and the KYRTool cannot be downloaded yet (attempting to do so leads to an error message).

I have not tested anything yet.

TLS seems to work, but STARTTLS in the SMTP server seems to be broken. At least, our Symantec Messaging Gateway can no longer connect to our Domino Servers and use STARTTLS - Dominos SMTP server seems to simply close the connection. I have opened a PMR.