~George ChuluplopjipApr 22, 2014, 8:15 PM4 PostsNo security issuePPOR92UMM6 is not completely fixed in 9.01 FP1. The release notes will be corrected. The complete fix for PPOR92UMM6 will be addressed in a future fix pack. To address your question about whether there is a security issue - There is no security vulnerability. This SPR deals with an issue where the Domino server is acting as the SSL client. After the SSL server has sent the server certificate and server key exchange messages, the SSL server can optionally request a certificate from the SSL client, specifying a list of distinguished names of acceptable certificate authorities. In some instances, no DN list of acceptable certificate authorities is specified by the SSL server. Currently, in this case (where the SSL server is requesting a client certificate from Domino but does not specify the acceptable certificate authorities), the Domino server will respond with a fatal alert and end the SSL handshake. In a future fix, the Domino server will send a non-fatal SSL alert or the cert that it has, depending on the customer's preference. There is no security vulnerability. The SSL server has already proven its identity to the SSL client (the Domino server). The SSL server did not specify the acceptable certificate authorities when requesting the certificate from the SSL client, and it is up to the SSL server whether to continue with the handshake after Domino's response.
~Carol AsafreekonyliMay 1, 2014, 6:35 PM3 PostsRe: No security issue Thank you for spending the time to correct my misunderstanding.
~Ned UmlutherettuJun 11, 2014, 11:28 PM113 Poststhis code change impacts more than smtp tlsI've seen success with this new fix with other conditions outside of smtp is relevant essentially anytime Domino is the SSL client webservice consumers Directory Assistance to secure ldap (636) etc