202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 244
End of Service for JVM 1.6
Sat, Nov 25th 2017 8
Traveler 9.0.1.20 Released
Sat, Nov 18th 2017 7
VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild
Tue, Nov 14th 2017 6
Erster DNUG "Domino2025 Jam" Event 23.11.2017
Thu, Nov 9th 2017 5
Domino on Linux Start Script 3.1.3 with changed way to request it
Mon, Oct 30th 2017 7
Great news Notes Domino 10 and beyond
Wed, Oct 25th 2017 10
Top 10
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 244
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 21
Passing a document to an agent without saving it first
Sun, Apr 6th 2014 19
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 18
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 15
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 15
IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)
Wed, Apr 9th 2014 13
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 13
Known issues with Domino 9.0.1 FP9
Wed, Sep 27th 2017 12
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 11


Some Additonal TLS 1.0 Information
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    

TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server.
IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected.

Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server.
For now IBM still has SSL 3.0 enabled to allow communication with software that does not yet support TLS 1.0 and they are preventing clients from the downgrade attacks as mentioned in the IBM technotes.

Notes Client Software

But Domino is not the only server for most customer environments. Many companies completely disable SSL 3.0 and cause issues with other client software.
And also Notes Clients are affected for example when connecting to other HTTP servers or using secure IMAP, POP3, LDAP or SMTP.

For example here in Germany GMX one of the larger, well known email-providers disabled SSL 3.0.
In that case you need a fix for the Notes Client side. IBM did not yet ship the full set of clients because they are waiting for some I think unrelated Java patches.

But because there is also an enhancement for SHA256 for the cert request database, IBM shipped already the Win32 Standard Client.
The download is a bit more difficult to find on Fix Central but you should find it using the following link.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Notes&release=9.0.1.2&platform=Windows&function=fixId&fixids=Notes_901FP2IF2_W32_Standard&includeSupersedes=0&source=fc

If you need a client connection for one of the internet protocols and the server does only support TLS 1.0, you will need to install this IF.

Other Client Software -- Other Issues


Notes/Domino is not the only application having an issue with servers that don't support SSL 3.0 any more or servers that changes the way they negotiate SSL versions.
Domino for example has SSL 2.0 including the SSL 2.0 handshake disabled with 9.0.1 FP2 IF1. Other servers might have done the same or similar.

This leads to interesting interoperability challenges. For example older OpenSSL versions do not nicely negotiate their SSL level with Domino servers without explicitly specifying TLS 1.0 as Andrew Pollack found out.
In case of wget in combination with an older OpenSSL version according to IBM the negotiation failed because that OpenSSL version used an V2 handshake, which failed and stopped the negotiation.

And there might be other application issues where a server does not work nicely with your Java 1.6 application (which supports TLS 1.0 but maybe not the ciphers the server is expecting).
Java 1.7 does also support TLS 1.1 and 1.2 but not in all cases you can switch to the later Java version.

I have tested Java 1.6 in Notes with an unpatched Notes client against a server that does have SSL 3.0 completely disabled and the Java agent worked unmodified.
But there are other parts in Notes that use the native SSL stack. And from what I heard from IBM some parts in Java also seem to use the native Notes/Domino stack instead of the Java stack.


So when the browser vendors decided to stop supporting SSL 3.0 any more they did not just challenge the server vendors but because of the impact to client software all applications using SSL connections might be affected.
When introducing new versions of software that support TLS and might not support SSL 3.0 at all or have a changed way to negotiate the session, you really have to test all your applications and see which SSL level they support and which types of ciphers.


The SSL Test website (https://www.ssllabs.com/ssltest/) tries to test what happens when you access your server with various client software and you should have a look if your server does support a cipher for all of you client access types.

As I said, this is not just a challenge for Domino but also for other applications -- even if they are totally unrelated -- because many vendors are working on their SSL stack (or administrators disabling SSL 3.0 and below).

Sometimes you have to specify the right SSL level (currently TLS 1.0 for Domino) to establish a connection and that could be even good from security point of view.

On the others side you might have to think about updating the software on the client machine itself. For example older versions of OpenSSL should be updated to solve SSL handshake issues.

There are many parts you should test. And this post should just give you some more background and a heads up what could break now or in the near future when more and more servers are patched/reconfigured. In many cases the solution is to update your software.


-- Daniel




---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/some-additonal-tls-1.0-information.htm
Nov 06, 2014
9 hits



Recent Blog Posts
244
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 5:08a   Daniel Nashed
We ran into a hang situation multiple times during FT indexing. It turned out that this is a regression introduced in FP9 due to changes in the FT index area. In certain situations the FTIndex update does hang getting document data and will cause one CPU core to be maxed out for this thread. The description of the SPR says it is a "spike" but it more looks like the thread permanently uses CPU. This can happen with updall, DBMT and also other tasks updating the FT index. The process can
8
End of Service for JVM 1.6
Sat, Nov 25th 2017 3:34p   Daniel Nashed
IBM uses the Oracle JVM as their base for their IBM JVM platform which is used in IBM products like Notes, Domin and Traveler. JVM 6.0 has been around for almost 10 years and is now discontinued since Sep 2017. Oracle discontinued their support for JVM 1.6 so IBM cannot support JVM 1.6 on their side. That also means for IBM platforms that there is no patch support for JVM 1.6! For Notes and Domino means you have to update to 9.0.1 FP8/FP10 for JVM 1.8 and hopefully FP10 will bring com
7
Traveler 9.0.1.20 Released
Sat, Nov 18th 2017 3:44p   Daniel Nashed
Traveler 9.0.1.20 has been released and I installed it already. As usual, if you are not waiting for an urgent open issue that is listed in the fix list, it might make sense to wait before installing a new version in production asap. I have installed it already befor the weekend and it looks good for my small environment. Beside the fixes listed below there is a new feature: Support for invitee availability search from Calendar on Exchange ActiveSync clients. Still trying to test it. N
6
VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild
Tue, Nov 14th 2017 2:35p   Daniel Nashed
We just discovered an interesting configuration issue, which generates quite some logging and is a bit annoying. When you specify the view_rebuild_dir without the trailing slash / back-slash, the server will internally append the slash. But if you configured the view_rebuild_dir in the config document without the (back) slash the server will tell you every couple of minutes that the server changed the setting. This happens why the internal path is always stored with the trailing (back) sl
5
Erster DNUG "Domino2025 Jam" Event 23.11.2017
Thu, Nov 9th 2017 1:44p   Daniel Nashed
Nach den Ankündigungen zu Domino 10, der IBM & HCL Kooperation und Domino 2025 haben wir die Agenda für den DNUG Domino Day am 23.11.2017 in Düsseldorf umgestellt. Teil des Domino Days wird der erste deutsche "Domino 2025 Jam" Event sein. Neben dem Uffe Sorensen wir auch ein Kollege von HCL mit dabei sein. Es wird im Vortrag von Uffe u.A. um die aktuellen Informationen zur Kooperation gehen. Ihr könnt alle eure Fragen mitbringen und im "Jam" Teil geht es dann um Feedback fü
7
Domino on Linux Start Script 3.1.3 with changed way to request it
Mon, Oct 30th 2017 5:43a   Daniel Nashed
Just updated the start script to a new version with some minor changes. There was one issue with systemd on shutdown and I made a change in the way config files are used. Most of the new features are coming in either thru projects or when I want something for my own environment. I don't get much feedback or feature requests beside that. One change triggered by a project was how config files apply. We wanted to use the same configuration for all servers. But we wanted special settings f
10
Great news Notes Domino 10 and beyond
Wed, Oct 25th 2017 9:03p   Daniel Nashed
We got great news today. There will be a Notes & Domino 10 in 2018. And IBM also announced that with joined efforts with HCL Technologies they are working on a strategy for #Domino2025. This isn't a new partnership. IBM and HCL are already working together for Tivoli and Rational software. But is was still a big surprise today. Notes and Domino 9.0.1 FP10 is committed for 2017 and I am looking forward to hear more about the Notes & Domino Strategy planned for 2018 with Notes and D
7
Correctly Stopping a Traveler Server
Tue, Oct 24th 2017 2:02p   Daniel Nashed
This is not new but I ran into this a couple of times on customer site. Specially on a Traveler HA server this becomes important. Shutting down the Traveler servertask when the Domino server/service is stopped might lead to hang situations of the HTTP task. The better way would be to shutdown the Traveler servertask first. But even that might lead to undesired results. There is a special Traveler shutdown command "tell traveler shutdown" that can be used to let Traveler finish it's wor
8
Notes Client 9.0.1 FP9 F1 released
Sat, Oct 14th 2017 5:31p   Daniel Nashed
There is also a client IF1 for 9.0.1 FP9 which fixes one part of the issue that I reported. Depending on your configuration MIME messages sent did show up with different fonts on Notes clients. It happened in edit mode or when the embedded MIME browser was disabled. What has been fixed is that the IF1 client shows correct fronts. But earlier clients still shows different fonts (for example if you send a mail with sans serif it will show up in serif). I don't know if that can be fixed at
6
Domino 9.0.1 FP 9 IF2 available with important fixes
Fri, Oct 13th 2017 9:09a   Daniel Nashed
Two of the issues fixed in IF2 have been discussed before in my blog. But there are also two other critical issues fixed. Some of my customers reported DBMT and updall hangs which have been fixed with TDOOAREP8W. And the Private on first use folder issue also has been reported before. If you have installed 9.0.1 FP 9 you should update to IF2! -- Daniel JPAIAQ5SKW PANIC: DbMarkCorrupt! (d:notefileadmin4.nsf Dbiid: 0x3D91E116 0x3C07FE17) JVEKAQSGCC S




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition