I believe this is is saying that  TLS support will be in native Domino shortly - after a fix pack or 2. Can somebody please confirm my understanding.

For those of us mandated to get away from SSL 3.0 ASAP we can get new TLS certifcates and they will work with Domino with no need for proxy (IHS etc..)

This is great news if I am understanding correctly. Timeframe is still very important which is unclear.

TBear

Thank you Scott. Perhaps to clarify my certificate question I will just give the concrete example - as I am sure it will help others understand also.

Current status. Domino 9.01 server with SHA-1 certificate using SSL 3.0

Goal: Domino 9.x server with SHA-2 certificate using TLS

My guess at what to do:

1 - wait for announcemnt form IBM that fx pack is ready

2 - upgrade Domino

3 - TLS 1.0 is now supported

4 - Generate a new CSR for an SHA-2 certificate (using Dominio Server Certificate Admin?)

5 - Use CSR to request new certificate (SHA-2) from certificate authority and implement  

6 - SHA-2 now supported

How close am I?

TBear

Goal: Domino 9.x server with SHA-2 certificate using TLS

My guess at what to do:

1 - wait for announcemnt form IBM that fx pack is ready

2 - upgrade Domino

3 - TLS 1.0 is now supported

Correct. No configuration changes will be necessary to enable TLS 1.0 beyond upgrading Domino.

4 - Generate a new CSR for an SHA-2 certificate (using Dominio Server Certificate Admin?)

We will provide directions on how to use OpenSSL to generate a new keypair and a new CSR.  Other techniques to generate a CSR may work, but will not be explicitly supported with SHA-2.  

You will also be able to use certreq.nsf and the Domino CA process to generate a keyring file with SHA-2 using your own Internet CA.

5 - Use CSR to request new certificate (SHA-2) from certificate authority and implement  

... and then use a new tool to create a new keyring file, import the keypair generated in #4, and import the certificate chain received from your CA.

6 - SHA-2 now supported

Correct.

The only problem is item 1: How long will it take till the fix pack is ready?

IBM says "in the next several weeks". Several weeks can also be half a year.

TLS 1.0 is standard since 1999. IBM, did you sleep the last 15 years? Why wasn't it implemented much earlier?

We need a solution NOW, as SSL 3.0 will be shut down in webbrowsers soon.

And NO, IHS is NOT a solution. It has too many limitations that are unacceptable.

WAKE UP IBM AND FIX THIS!!!!! NOW!!!!!!