199 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Notes/Domino 9.0.1 Feature Pack 9 shipped
Sun, Aug 20th 2017 138
Blog Certificate updated and Let’s Encrypt Update
Tue, Aug 8th 2017 8
SLES 12 SP2 Issues with Domino running with Systemd
Mon, Jul 24th 2017 7
Microsoft fixes Notes Client Windows 10 Creators Crash
Wed, Jun 28th 2017 4
Traveler 9.0.1.18 with new Security Mode for Mail-File Access
Thu, Jun 22nd 2017 9
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 13
Security Bulletin: IBM Domino TLS server Diffie-Hellman key validation vulnerability (CVE-2016-6087)
Thu, Jun 1st 2017 4
Top 10
Notes/Domino 9.0.1 Feature Pack 9 shipped
Sun, Aug 20th 2017 138
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 25
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 25
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 16
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 13
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 12
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 11
Passing a document to an agent without saving it first
Sun, Apr 6th 2014 9
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 9
Traveler 9.0.1.18 with new Security Mode for Mail-File Access
Thu, Jun 22nd 2017 9


Some Additonal TLS 1.0 Information
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    

TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server.
IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected.

Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server.
For now IBM still has SSL 3.0 enabled to allow communication with software that does not yet support TLS 1.0 and they are preventing clients from the downgrade attacks as mentioned in the IBM technotes.

Notes Client Software

But Domino is not the only server for most customer environments. Many companies completely disable SSL 3.0 and cause issues with other client software.
And also Notes Clients are affected for example when connecting to other HTTP servers or using secure IMAP, POP3, LDAP or SMTP.

For example here in Germany GMX one of the larger, well known email-providers disabled SSL 3.0.
In that case you need a fix for the Notes Client side. IBM did not yet ship the full set of clients because they are waiting for some I think unrelated Java patches.

But because there is also an enhancement for SHA256 for the cert request database, IBM shipped already the Win32 Standard Client.
The download is a bit more difficult to find on Fix Central but you should find it using the following link.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Notes&release=9.0.1.2&platform=Windows&function=fixId&fixids=Notes_901FP2IF2_W32_Standard&includeSupersedes=0&source=fc

If you need a client connection for one of the internet protocols and the server does only support TLS 1.0, you will need to install this IF.

Other Client Software -- Other Issues


Notes/Domino is not the only application having an issue with servers that don't support SSL 3.0 any more or servers that changes the way they negotiate SSL versions.
Domino for example has SSL 2.0 including the SSL 2.0 handshake disabled with 9.0.1 FP2 IF1. Other servers might have done the same or similar.

This leads to interesting interoperability challenges. For example older OpenSSL versions do not nicely negotiate their SSL level with Domino servers without explicitly specifying TLS 1.0 as Andrew Pollack found out.
In case of wget in combination with an older OpenSSL version according to IBM the negotiation failed because that OpenSSL version used an V2 handshake, which failed and stopped the negotiation.

And there might be other application issues where a server does not work nicely with your Java 1.6 application (which supports TLS 1.0 but maybe not the ciphers the server is expecting).
Java 1.7 does also support TLS 1.1 and 1.2 but not in all cases you can switch to the later Java version.

I have tested Java 1.6 in Notes with an unpatched Notes client against a server that does have SSL 3.0 completely disabled and the Java agent worked unmodified.
But there are other parts in Notes that use the native SSL stack. And from what I heard from IBM some parts in Java also seem to use the native Notes/Domino stack instead of the Java stack.


So when the browser vendors decided to stop supporting SSL 3.0 any more they did not just challenge the server vendors but because of the impact to client software all applications using SSL connections might be affected.
When introducing new versions of software that support TLS and might not support SSL 3.0 at all or have a changed way to negotiate the session, you really have to test all your applications and see which SSL level they support and which types of ciphers.


The SSL Test website (https://www.ssllabs.com/ssltest/) tries to test what happens when you access your server with various client software and you should have a look if your server does support a cipher for all of you client access types.

As I said, this is not just a challenge for Domino but also for other applications -- even if they are totally unrelated -- because many vendors are working on their SSL stack (or administrators disabling SSL 3.0 and below).

Sometimes you have to specify the right SSL level (currently TLS 1.0 for Domino) to establish a connection and that could be even good from security point of view.

On the others side you might have to think about updating the software on the client machine itself. For example older versions of OpenSSL should be updated to solve SSL handshake issues.

There are many parts you should test. And this post should just give you some more background and a heads up what could break now or in the near future when more and more servers are patched/reconfigured. In many cases the solution is to update your software.


-- Daniel




---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/some-additonal-tls-1.0-information.htm
Nov 06, 2014
8 hits



Recent Blog Posts
138
Notes/Domino 9.0.1 Feature Pack 9 shipped
Sun, Aug 20th 2017 9:39p   Daniel Nashed
Notes and Domino 9.0.1 Feature Pack 9 is available. The client side and server-side introduces fixes and also new features. The official "flixlist" can be found here --> http://www.lotus.com/ldd/fixlist.nsf/0/12d957b7c277fc728525816300434c53 Here are the highlights and some important comments. JVM Update in Notes Client & Domino Server The security fixed version introduced with a JVM patch for FP8 is included in FP9: Notes/Domino - Java 1.8 SR4 FP5 But this is sti
8
Blog Certificate updated and Let’s Encrypt Update
Tue, Aug 8th 2017 9:30a   Daniel Nashed
My certificate expired after 90 days because I did not track it. And the Let's Encrypt original client configuration did not work any more when I was looking into renewal today. The client was Python based and there is a newer client --> https://certbot.eff.org/ which is officially recommended by Let's Encrypt. It's still complicated to use and you need to have Python installed. But since I first implemented it there are many other ACME clients that properly integrate with Let's Encr
7
SLES 12 SP2 Issues with Domino running with Systemd
Mon, Jul 24th 2017 10:01a   Daniel Nashed
There is a new feature introduced in SLES 12 SP2 which could lead to issues with larger Domino or Traveler servers. The default nproc size is still set to 7400. So in most cases this tunable does still not need to be set in your Domino service file. But there is a new security feature introduced in SLES 12 SP2 which will cause processes fail to start or not able to span more threads. The error you might see is the following: Jul 20 11:02:41 dom-srv kernel: cgroup: fork rejected by pi
4
Microsoft fixes Notes Client Windows 10 Creators Crash
Wed, Jun 28th 2017 8:16p   Daniel Nashed
Today I got feedback from IBM that the fix that Microsoft releases does solve the blue screen issue with Notes and the customized home page issue. There have been multiple situations in which the client crashed or caused a blue screen because of some Windows UI calls in Notes after the Windows creators update. I am interested to get feedback if the fix does solve all your Notes Client on Windows creators update. Here is a link for the update: https://support.microsoft.com/en-in/help/
9
Traveler 9.0.1.18 with new Security Mode for Mail-File Access
Thu, Jun 22nd 2017 9:07a   Daniel Nashed
Traveler 9.0.1.18 comes with a couple of minor fixes and a big change in the way Traveler Server access mail-databases. In 9.0.1.15 IBM introduced a new check if the Traveler server is listed in Trusted Servers (Server Security Tab) to show a warning if not. Now we know what IBM was preparing for. The server now acts as the user instead of the server. That's only possible if listed in Trusted Servers. You still need the Traveler server to be listed in the ACL of the mail databases. Trus
13
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 12:00p   Daniel Nashed
Just got that question today at DNUG. There is an issue with the Notes Client with the current Windows 10 Update - aka Creators Update (Build 1703). According to the responsible person who is at DNUG today, this happens because of changed Windows graphics APIs. IBM is working on a fix which will be available in FP9. FP9 will also have full High Resolution support! We saw a demo with FP9 which really looked great! Here are the two relevant SPRs: SPR LHEYALMCEP : Domino Designer cra
4
Security Bulletin: IBM Domino TLS server Diffie-Hellman key validation vulnerability (CVE-2016-6087)
Thu, Jun 1st 2017 6:27a   Daniel Nashed
There is a vulnerability in the TLS stack which could lead an exploit which could lead a less secure connection. The good news is that the fix is already included in FP8. So you should upgrade to 9.0.1 FP8 if you have a public facing Domino Server with HTTPS. See the details and reference below. -- Daniel A vulnerability in the IBM Domino TLS server's Diffie-Hellman parameter validation could potentially be exploited in a small subgroup attack which could result in a less secure conne
1
Important Security Fix for IMAP
Sat, Apr 22nd 2017 9:13a   Daniel Nashed
In case you are running IMAP on a server that is reachable over the internet you should look into this fix ASAP. It might not be that critical for internal services. See details about this vulnerability here --> http://www.ibm.com/support/docview.wss?uid=swg22002280 All versions of Domino are affected!
1
NIFNSF Supported Maximum Size above 64 GB!
Fri, Apr 21st 2017 9:02p   Daniel Nashed
After getting that question offline and having a discussion on my blog, I checked with IBM if they plan support NIFNSF sizes above 64 GB. Since it is kind of a database container and needs a database handle someone could think that the maximum limit is also 64 GB. That would give us at least 64 GB room for the NIF index -- which would be already a big improvement. But from what I recall from some comments at Connect some years ago the maximum limit was not around 64 GB when they designed it
6
Disclaimer Attachment Issue not yet fixed in IF1
Fri, Apr 14th 2017 6:28p   Daniel Nashed
As Rob Kirkland commented in one of my last blog posted, the fix in IF1 does not solve the iusse. We both checked with IBM and got the reply that the SPR just changes back the default and disables the change introduced in FP8 for Google calender integration. IBM is working on a fix hopefully makes it into FP9. So for now you should keep the notes.ini Parameter MIMEDisclaimersNoEncode=0 disabled. Thanks to Rob to bring this up! -- Daniel TPONAKFJLP After upgrade to FP8, with




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition