This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Carol Asafreekonyli
Dec 9, 2014, 4:34 AM
3 Posts

POODLE vulnerability in some TLS stacks

  • Category: Security
  • Platform: All Platforms
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 9

Apparently the POODLE vulnerability can be adapted to attack some TLS stacks, up to TLS 1.2 [1].  My servers are running behind a reverse proxy, and are NOT vulnerable, but I was hoping someone who wasn't running a reverse procy could test their Domino with the SSL Labs tester [2].

 

[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html

[2] https://www.ssllabs.com/ssltest/index.html

 

~Anita Minasterings
Dec 9, 2014, 1:32 PM
90 Posts
Mine seems fine
I get dinged for SSL 3 and RC4 ciphers but otherwise SSLLabs gives me a B.

This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO =BB
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO =BB
There is no support for secure renegotiation.  MORE INFO =BB
The server does not support Forward Secrecy with the ref= erence browsers.  MORE INFO =BB
This server supports TLS=5FFALLBACK=5FSCSV to prevent pr= otocol downgrade attacks.

Howard
~Fred Asatumiburynds
Dec 10, 2014, 11:00 AM
107 Posts
Re. RC4 ciphers
We chose to leave RC4 ciphers enabled, since otherwise we'd risk locking out too many wanted visitors. Anyway, even with RC4 enabled we are getting B -- with Domino hidden behind nginx as reverse proxy.
~Yentl Zekresachek
Dec 10, 2014, 12:17 AM
32 Posts
IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack
~Evelyn Asageroterader
Dec 10, 2014, 12:25 AM
4 Posts
IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack

Having moved to using IHS with our v9.0.1 FP2 IF1 server that runs Traveler I now find that IHS is vulnerable to the new POODLE / TLS attack - SSL labs gives it a Big FAIL. "This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. MORE INFO »

We needed to disable SSL3 completely to be compliant with our organisations security policy and now I find IHS is vulnerable. Hopefully IBM will release an IHS fix ASAP. 

 

~Justin Deshipipulynds
Dec 10, 2014, 12:32 AM
43 Posts
We are investigating. Should have more to report tomorrow <>
~Sven Brekrotherlen
Dec 11, 2014, 12:26 PM
5 Posts
Look here

in another thread this was reported to work:

 

http://www-01.ibm.com/support/docview.wss?uid=swg21692502

Workarounds and Mitigations

For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable": 

# Enable strict CBC padding 
SSLAttributeSet 471 1

~Yentl Zekresachek
Dec 11, 2014, 10:06 PM
32 Posts
It's a TLS issue not SSL

@Jeff - POODLE II is a TLS vulnerability. In my case have already disabled SSL2 and SSL3 via IHS DOMINO.CONF and SSL Labs reports us as a Fail due to the new TLS vulnerability. 

What we need is a patch for Domino IHS from IBM. 

~Ned Umlutherettu
Dec 12, 2014, 9:55 PM
113 Posts
can you disable tls1.0 and 1.1 at IHS
Can you force TLS1.2 at the IHS proxy?

similar as how you disabled sslv2 and v3 in the .conf file
and also disable tls1.0 and tls1.1

SSLProtocolDisable SSLv2 SSLv3 TLSv1 TLSv11

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal