198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Notes Client 9.0.1 FP9 F1 released
Sat, Oct 14th 2017 220
Domino 9.0.1 FP 9 IF2 available with important fixes
Fri, Oct 13th 2017 292
IBM Champion Program Nominations are open
Tue, Oct 10th 2017 33
Installing C-API Applications on Linux
Wed, Oct 4th 2017 13
Known issues with Domino 9.0.1 FP9
Wed, Sep 27th 2017 13
Fix Available: SMTP regression issue in Domino 9.0.1 FP9 can cause malformed headers
Fri, Sep 15th 2017 5
Domino Performance issue on some Linux Versions
Thu, Sep 14th 2017 4
Top 10
Domino 9.0.1 FP 9 IF2 available with important fixes
Fri, Oct 13th 2017 292
Notes Client 9.0.1 FP9 F1 released
Sat, Oct 14th 2017 220
IBM Champion Program Nominations are open
Tue, Oct 10th 2017 33
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 25
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 19
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 19
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 16
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 15
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 14
Domino 9.0.1 FP9 SMTP Issue
Wed, Aug 30th 2017 13


Some Additonal TLS 1.0 Information
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    

TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server.
IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected.

Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server.
For now IBM still has SSL 3.0 enabled to allow communication with software that does not yet support TLS 1.0 and they are preventing clients from the downgrade attacks as mentioned in the IBM technotes.

Notes Client Software

But Domino is not the only server for most customer environments. Many companies completely disable SSL 3.0 and cause issues with other client software.
And also Notes Clients are affected for example when connecting to other HTTP servers or using secure IMAP, POP3, LDAP or SMTP.

For example here in Germany GMX one of the larger, well known email-providers disabled SSL 3.0.
In that case you need a fix for the Notes Client side. IBM did not yet ship the full set of clients because they are waiting for some I think unrelated Java patches.

But because there is also an enhancement for SHA256 for the cert request database, IBM shipped already the Win32 Standard Client.
The download is a bit more difficult to find on Fix Central but you should find it using the following link.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Notes&release=9.0.1.2&platform=Windows&function=fixId&fixids=Notes_901FP2IF2_W32_Standard&includeSupersedes=0&source=fc

If you need a client connection for one of the internet protocols and the server does only support TLS 1.0, you will need to install this IF.

Other Client Software -- Other Issues


Notes/Domino is not the only application having an issue with servers that don't support SSL 3.0 any more or servers that changes the way they negotiate SSL versions.
Domino for example has SSL 2.0 including the SSL 2.0 handshake disabled with 9.0.1 FP2 IF1. Other servers might have done the same or similar.

This leads to interesting interoperability challenges. For example older OpenSSL versions do not nicely negotiate their SSL level with Domino servers without explicitly specifying TLS 1.0 as Andrew Pollack found out.
In case of wget in combination with an older OpenSSL version according to IBM the negotiation failed because that OpenSSL version used an V2 handshake, which failed and stopped the negotiation.

And there might be other application issues where a server does not work nicely with your Java 1.6 application (which supports TLS 1.0 but maybe not the ciphers the server is expecting).
Java 1.7 does also support TLS 1.1 and 1.2 but not in all cases you can switch to the later Java version.

I have tested Java 1.6 in Notes with an unpatched Notes client against a server that does have SSL 3.0 completely disabled and the Java agent worked unmodified.
But there are other parts in Notes that use the native SSL stack. And from what I heard from IBM some parts in Java also seem to use the native Notes/Domino stack instead of the Java stack.


So when the browser vendors decided to stop supporting SSL 3.0 any more they did not just challenge the server vendors but because of the impact to client software all applications using SSL connections might be affected.
When introducing new versions of software that support TLS and might not support SSL 3.0 at all or have a changed way to negotiate the session, you really have to test all your applications and see which SSL level they support and which types of ciphers.


The SSL Test website (https://www.ssllabs.com/ssltest/) tries to test what happens when you access your server with various client software and you should have a look if your server does support a cipher for all of you client access types.

As I said, this is not just a challenge for Domino but also for other applications -- even if they are totally unrelated -- because many vendors are working on their SSL stack (or administrators disabling SSL 3.0 and below).

Sometimes you have to specify the right SSL level (currently TLS 1.0 for Domino) to establish a connection and that could be even good from security point of view.

On the others side you might have to think about updating the software on the client machine itself. For example older versions of OpenSSL should be updated to solve SSL handshake issues.

There are many parts you should test. And this post should just give you some more background and a heads up what could break now or in the near future when more and more servers are patched/reconfigured. In many cases the solution is to update your software.


-- Daniel




---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/some-additonal-tls-1.0-information.htm
Nov 06, 2014
8 hits



Recent Blog Posts
220
Notes Client 9.0.1 FP9 F1 released
Sat, Oct 14th 2017 5:31p   Daniel Nashed
There is also a client IF1 for 9.0.1 FP9 which fixes one part of the issue that I reported. Depending on your configuration MIME messages sent did show up with different fonts on Notes clients. It happened in edit mode or when the embedded MIME browser was disabled. What has been fixed is that the IF1 client shows correct fronts. But earlier clients still shows different fonts (for example if you send a mail with sans serif it will show up in serif). I don't know if that can be fixed at
292
Domino 9.0.1 FP 9 IF2 available with important fixes
Fri, Oct 13th 2017 9:09a   Daniel Nashed
Two of the issues fixed in IF2 have been discussed before in my blog. But there are also two other critical issues fixed. Some of my customers reported DBMT and updall hangs which have been fixed with TDOOAREP8W. And the Private on first use folder issue also has been reported before. If you have installed 9.0.1 FP 9 you should update to IF2! -- Daniel JPAIAQ5SKW PANIC: DbMarkCorrupt! (d:notefileadmin4.nsf Dbiid: 0x3D91E116 0x3C07FE17) JVEKAQSGCC S
33
IBM Champion Program Nominations are open
Tue, Oct 10th 2017 6:05p   Daniel Nashed
The IBM champion nominations have just started today. You can nominate your favorite persons in the community to appreciate what they are doing for the community (--> https://developer.ibm.com/dwblog/2017/ibm-champion-program-nominations/) Libby just expressed it in short words what a champion makes stand out. Let me quote instead of just passing a link! -- Daniel "You may know an IBM Champion if… The best way to understand the IBM Champions program is to know an IBM Champion. D
13
Installing C-API Applications on Linux
Wed, Oct 4th 2017 11:51a   Daniel Nashed
When installing binaries on Linux you have to be aware of the directory structure for the files installed in the opt directory. For installing a servertask the recommended way is to copy it to the Domino binary directory and create a start link. For myself I created a script that handles installation of servertasks and extension managers because I don't want to do those steps manually and my script comes with a wrapper script that benefits of sudo when installing binaries on my developmen
13
Known issues with Domino 9.0.1 FP9
Wed, Sep 27th 2017 3:38a   Daniel Nashed
A couple of customers and partners asked me about current known issues with FP9 in my blog and offline. Beside the issue with the garbage chars fixed in IF1 there are 3 other issues that could prevent you from upgrading to FP9. There is an issue with private on first use views and folders on the server side which prevents those views and folders to be created. IBM has a hotfix for this as Sascha already reported in my blog comments. SPR# JVEKAQSGCC / LO92948: SHARED, PRIVATE ON FIRST USE
5
Fix Available: SMTP regression issue in Domino 9.0.1 FP9 can cause malformed headers
Fri, Sep 15th 2017 11:43p   Daniel Nashed
Finally we got IF1 for 9.0.1 FP9 for the issue I reported in an earlier blog post . The regression was introduced by a fix that IBM has removed in IF1 (and I got a hotfix earlier as mentioned in an earlier blog post). The root cause is an issue with malformed headers -- specially the from header that are generated at message itemization. Depending on your configuration this causes garbage chars in your headers. In any case some functionality like SMTPVerifyAuthenticatedSender=1 or capt
4
Domino Performance issue on some Linux Versions
Thu, Sep 14th 2017 10:13a   Daniel Nashed
When working on a larger Domino migration and consolidation project I ran into an new Linux specific performance issues that might hit some of you depending on your Linux version. I have tested with current RHEL 7 servers which are not affected. But on customer site we are using the latest patch level of RHEL 6.9 and I have also seen it with SLES 11 SP2/3. I did not yet test with SLES 12 (maybe someone volunteers to do some testing). There has been an issue in the 8.5.3 code stream which ha
1
How to resolve synchronization issues that start after upgrading to IBM Traveler 9.0.1.18 (or higher)
Sat, Sep 9th 2017 9:21a   Daniel Nashed
If you are running on Traveler 9.0.1.18 and higher you should read the following support flash technote in detail. http://www.ibm.com/support/docview.wss?uid=swg22005703 You must read this technote if you are running on 9.0.1.18 and higher. And with this new information it makes a lot of sense to move to this new version soon. As mentioned before, IBM changed the default security mode for Traveler. Traveler uses a run as user feature to ensure that all functionality is invoked in th
3
Traveler 9.0.1.19 with important fixes
Fri, Sep 8th 2017 7:15a   Daniel Nashed
We have been waiting for Traveler 9.0.1.19 for some important fixes and also updates SQL server support and push certificate update: Support for MS SQL Server 2016 Enterprise Edition. Updated APNS Certificates with expiration 8/1/2018. Improvements for the Run as User Feature. But the most important changes are for the "Run as User" Feature which has been introduced in 9.0.1.18. Some of my customers and issues with Traveler profiles which could not be read correctly in some cases.
4
SSLV3 disabled by default since 9.0.1 FP9
Tue, Sep 5th 2017 2:18p   Daniel Nashed
This change has been discussed a while ago. Now it was finally time to disable default SSLv3 in Domino. The SPR did not make it into the fixlist. Thanks Thibaud Maes for your mail! The change addressed by SPR # DKENAKNSEG will affect all connection types that utilise the native Domino security stack such as HTTPS and secure DIIOP. If you still need SSLv3 you need this new notes.ini parameter ENABLE_SSLV3=1 There are not many applications left that need SSLV3 ... Daniel




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition