thanks,

That's great that NK can wait for 1 year.

There are a bunch of us who are expected to deliver solutions by November 2014  before the browsers out there stop supporting SHA-1 and SSL 3.0.  

The fix for Domino running on Windows server is to install the IBM HTTP Server (IHS), which is now included with the Domino 9+ install (but is not installed by default).  It is a special version of IHS intended to sit as a proxy in front of the Domino HTTP server and handle SSL/TLS.

I installed it over the weekend on a 9.0.1 IF1 server. It is a lengthy and tedious process, but it is working great now and my site tests secure using the neat Qualys SSL test: https://www.ssllabs.com/ssltest/index.html

I used these various resources:

Three step process from Darren Duke that uniquely shows a way to convert your existing Domino keyring (*.kyr) certificates to the format needed for IHS.  It requires the ability to run one of the key generation programs under Win XP or XP mode on Win 7.  This is what I used:

http://blog.darrenduke.net/darren/ddbz.nsf/dx/ibm-domino-now-includes-ibm-http-server-but-how-do-you-find-it.htm

http://blog.darrenduke.net/darren/ddbz.nsf/dx/exporting-domino-ssl-keyfiles-to-another-format-for-use-with-ihs-.htm

http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/setting-up-ibm-http-server-to-redirect-all-traffic-to-https-when-fronting-domino-i-guess-this-is-part-3.htm

Three step process from Russell Maher that shows the default IBM method of requesting and installing an SSL key in the correct format.  I referenced this a lot, but used the key generation process from Darren Duke above:

http://xpagetips.blogspot.com/2013/05/setting-up-ibm-http-server-with-domino-9.html

http://xpagetips.blogspot.com/2013/05/setting-up-tls-ssl-for-ibm-http-server.html

http://xpagetips.blogspot.com/2013/05/setting-up-tls-ssl-for-ibm-http-server_30.html

Various IBM instructions and sites about setting up IHS, from which the two gentlemen above used as a starting point to customize and give helpful screenshots.  I read all these and compared them to the procedures from the blogs.  More technical and and detailed, but less friendly for actually getting the job done (especially if you want to convert your Domino kyr SSL cert):

http://www-01.ibm.com/support/docview.wss?uid=swg27039743    (read the PDF)

http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/caa25dc9fd95076b85257b19005b3894?OpenDocument&Highlight=0,Installing,the,IBM,HTTP,server,module,to,support,TLS

http://www-01.ibm.com/support/docview.wss?uid=swg21612316

http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/3703294d1a3a2bc785257b19005b3896?OpenDocument

------

The "official" IBM response should be to either a) update the Domino SSL stack to the latest and greatest.  Don't hold your breath, but it is loooong overdue, or b) make the IHS install seamless, transparent, and the default.  It should appear to be a monolithic part of Domino and take over the HTTP functionality fully from here forward.  We should not even know it is actually IHS, and be controllable fully from inside Domino.

While IHS works and I appreciate that we Windows Server customers have a decent fix , it feels like a kludge and takes way too much admin attention and detail to set up, especially if you have multiple site docs.

We require TLS and SHA-2 asap, even on Domino8.5.x !!

Read here for the plans to support TLS in IBM Domino and Lotus Domino releases:

http://www-01.ibm.com/support/docview.wss?uid=swg21687167

It's nice that they're finally adding TLS support, 15 years after TLS became the standard.  But IBM's statements specifically say they're implementing TLS 1.0, so we're going from three versions out of date to two versions out of date.  It's progress, but it's still way behind the times.

If they hadn't waited so long to upgrade from 1996-vintage security (SSL 3.0) to 1999-vintage security (TLS 1.0), POODLE would be much less of an issue because we'd already have had TLS support.  We wouldn't all be scrambling either to use the kludge of putting one Web server behind another (and investing significant time in this very non-seamless migration) or desperately begging for this fix.  Most of us could just disable SSL 3.0 (if we hadn't already done so), possibly restart the HTTP task, and the job is done; only those who still need to support long-obsolete browsers would need to keep SSL 3.0 enabled and wait for support for TLS_FALLBACK_SCSV.

How long will we have to wait for TLS 1.2 (or even 1.1) to be included?  Will we have AES-NI support (assuming it's not already there, and I can't find any documentation that says it is)?  How about PFS?  Elliptic curve?  Pretty much every free browser has had all of these for a while now, as have lots of Web servers including both free and commercial ones.

Bottom line:  while you wait for IBM to issue a fix, don't forget that they allowed this to become a problem for us by leaving Domino's HTTPS support stuck so far behind the times.

IBM is a dinosaur of the last century. So don't expect too much.

IBM are stating support for SHA-2 in Domino 9.0.1 Fix Pack 2 Interim Fix 1

See the link Below:

http://www-01.ibm.com/support/docview.wss?uid=swg21418982

That is without using IHS

Mark