264 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Good news - Domino (at least 9.0.1) does not seem to be affected by the LogJam TLS vuln
Wed, May 20th 2015 263
MWLUG rolls into the ATL - August 19-21 2015
Thu, May 7th 2015 26
Do you subscribe to the IBM daily product update newletter? Part deux - or why renaming your products sucks
Fri, Apr 10th 2015 20
TLS 1.2 in Domino and the settings I use
Mon, Apr 6th 2015 24
Domino and SSL ciphers. The server document may not be doing what we expect it to do
Tue, Feb 3rd 2015 24
ConnectED-sphere sudo review
Mon, Feb 2nd 2015 10
New-ish Domino Configuration Tuner (DCT) rules are available
Mon, Feb 2nd 2015 17
Top 10
Good news - Domino (at least 9.0.1) does not seem to be affected by the LogJam TLS vuln
Wed, May 20th 2015 263
How to disable SSLv3 in Domino
Fri, Dec 12th 2014 34
MWLUG rolls into the ATL - August 19-21 2015
Thu, May 7th 2015 26
The Domino fixes for POODLE and TLS, you may not be done yet
Tue, Nov 4th 2014 25
Domino and SSL ciphers. The server document may not be doing what we expect it to do
Tue, Feb 3rd 2015 24
TLS 1.2 in Domino and the settings I use
Mon, Apr 6th 2015 24
STARTTLS and POODLE is this really an issue?
Thu, Oct 23rd 2014 22
Do you subscribe to the IBM daily product update newletter? Part deux - or why renaming your products sucks
Fri, Apr 10th 2015 20
New-ish Domino Configuration Tuner (DCT) rules are available
Mon, Feb 2nd 2015 17
Back to basics - how to DAOS enable (missed?) non-DAOS’d Domino mail files the easy way
Mon, Nov 3rd 2014 15


Darren Duke
Blog Title Darren Duke Blog Zone
Blog Description Occasionally useful stuff around technology, VMware, Domino, Symantec, accents and the pursuit of happiness.
Blog URL http://blog.darrenduke.net
RSS Feed http://blog.darrenduke.net/Darren/DDBZ.nsf/feed.rss
Validate Feed feedvalidator.org or validator.w3.org
Feed Last Checked May 20, 2015 2:23:12 PM EST. Realtime Update:
Location Atlanta, GA, USA


Recent Blog Posts
263
Good news - Domino (at least 9.0.1) does not seem to be affected by the LogJam TLS vuln
Wed, May 20th 2015 2:23p   Darren Duke
Another week, another SSL/TLS security vulnerability. This one is termed Logjam (read about it here http://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug). Luckily a site has already been created to test your web servers, it is available at https://weakdh.org/sysadmin.html. A quick test of a Domino 9.0.1 server with the latest IF and the perfect forward secrecy server-side notes.ini settings enabled (see this previous blog post for those settings) y
26
MWLUG rolls into the ATL - August 19-21 2015
Thu, May 7th 2015 11:26a   Darren Duke
I swear I voted for somewhere other than Atlanta.....no, really I did. Anyway, even thought it is technically called the Midwest User Group anyone can (and should) attend. So if you are in the Southeast you have no rational reason to not attend. If you use any of the IBM collaboration technologies this a conference you should have on your schedule. "But Darren, I can't get $1,500 approved to attend a conference". That's fine. It's only $50. Yes Fifty. I didn't miss off a zero. So now
20
Do you subscribe to the IBM daily product update newletter? Part deux - or why renaming your products sucks
Fri, Apr 10th 2015 11:00a   Darren Duke
A few years ago I wrote about how to subscribe to the daily IBM product update newsletter. A few days ago some one asks me if I still used this service. I thought I did, but on recollection I hadn't gotten an email from them in ages (or "yonks" for a more technical definition). At first I thought it was getting stuck in spam.....nope. Hummm. OK Let me log in a see.... I had no subscriptions listed. None. Nada. Ziltch. WTF? So I started adding in my subscriptions again and realized that
24
TLS 1.2 in Domino and the settings I use
Mon, Apr 6th 2015 8:20a   Darren Duke
Unless you have been living under a rock somewhere you no doubt know that IBM finally gave use TLS 1.2 for IBM Domino servers. This means that Domino servers can now use SSLv3, TLS 1.0 and TLS 1.2. But it's IT, so just because you can does not mean you should......for example I would suggest most servers (I'll get the outliers further down the page) would probably want SSLv3 disabled. If you have been under a rock, then you need Domino 9.0.1 FP3 IF2 to get this new goodness. Now this fix is
24
Domino and SSL ciphers. The server document may not be doing what we expect it to do
Tue, Feb 3rd 2015 8:52a   Darren Duke
While sat in Daniel Nashed and David Kern's excellent Domino Security session at Connect, there was a comment and slide that made me tweet this: Domino SSL ciphers set in the Domino Server document are ONLY applicable to HTTP. Not SMTP, LDAP, et al.... Doh. You can set with note.ini— Darren Duke (@darrenduke) January 27, 2015 Now, I'm back in the office it's time to address this. So based on that session it seems as if LDAP, SMTP, DIIOP, POP3 and IMAP (and Remote debug monit
10
ConnectED-sphere sudo review
Mon, Feb 2nd 2015 2:43p   Darren Duke
I was fully expecting to write a "what a train wreck" review before I went. I was not expecting to say I had a metric shit ton of fun. But I did. And based on other posts I've perused it seems almost everyone else did. There are far more eloquent reviews elsewhere, so this will be bare bones. First the "ups", in no particular order: Much, much improved OGS. Flow, demos, people who care.....And a quintet, who doesn't like quintets? It doesn't seem to matter how many people don't turn
17
New-ish Domino Configuration Tuner (DCT) rules are available
Mon, Feb 2nd 2015 9:16a   Darren Duke
Somehow I missed this, so I'm guessing some of you did too....New rules dated 10/16/2014. Thank you IBM. Woohoo! Indeed!!
11
If you are using my Reverse Proxy, please change the SSH host key
Wed, Jan 14th 2015 7:10a   Darren Duke
Well, technically this is for any Linux VM appliance you download, not just my reverse proxy.... Anyway, every Linux host should have it's own unique host SSH key to ensure security and authenticity of the server you are connecting to. When you create a server from an OVF that doesn't happen automatically. In fact you get the SSH host key that is on the OVA at time of creation (in this case mine).....potentially opening you up to man in the middle attacks (potentially.....although unlikely
12
Using IBM Lotus Traveler with a proxy....food for thought before you do this
Tue, Dec 16th 2014 6:11a   Darren Duke
Over that past few weeks I've been banging my head against the wall trying to figure out why a Traveler server that has been relocated behind a proxy would not work (it was a standalone server that was working fine before it was moved behind the proxy). Everything seemed fine, except one couldn't get to the Traveler log on page and/or add devices to the servers. Existing users worked flawlessly. Needless to say this was extremely aggravating. I'd install another, new Traveler server and put i
34
How to disable SSLv3 in Domino
Fri, Dec 12th 2014 6:01a   Darren Duke
In my POODLE TLS post from a few days back, there was a comment asking how to fully disabling SSLv3 in Domino. You'll notice in the comments I mention that there is a way but at the time it was under NDA. Well, apparently not anymore.... Now, fair warning this may not yet be supported by IBM so if you choose to do this, you do it at your own risk (while under NDA on this, it was stated that is unsupported so YMMV). According to this post on the Domino wiki, you can use this server notes
6
Tis coming to the close of 2014, so it must be time for the snarky review
Wed, Dec 10th 2014 1:27p   Darren Duke
Firefox, started 27, ended 34 Chrome started 32, ended 39 IE....11 and 11 IBM finally realized the 2015 plan was imploding. Except they "realized" this in 2014, so the immense damage of the plan has already been done. Oh, and I doubt they will stop the culling. Talking of IBM....support. Oh, how I used to use thee as a unique selling point. Now? I routinely have 14+ day periods when the assignee of the PMR doesn't respond to multiple emails. At first I thought this was just me
12
POODLE TLS - The POODLE Strikes Back - change your settings now....
Tue, Dec 9th 2014 8:11a   Darren Duke
After a brief chat in the Lotus Notes Skype chat with Jim Casle, Declan Lynch, Steve Pridemore and Frederick Norling it has become apparent that Domino maybe susceptible to the newly discovered POODLE TLS issue (POODLE 2.0 if you will). You can read about the new issues here and here. Go scan your servers at SSL Labs. Anyway, provided you are using 9.0.1 FP IF1 (the TLS fix that IBM provided a while back) the apparent Domino fix is to disable AES and 3DES ciphers and run with only RC4:
25
The Domino fixes for POODLE and TLS, you may not be done yet
Tue, Nov 4th 2014 3:09p   Darren Duke
As you read elsewhere IBM have finally addressed POODLE and TLS 1.0 are now available for for these releases on all platforms, 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4 and 8.5.1 FP5. Now just implementing these fixes may not completely protect you, unless you also disable both AES ciphers in Domino. Basically these are the two ciphers you want enabled: It's worth pointing out that with the TLS1.0 fix IBM also addressed a long time pet peeve of mine, low quality ciphers: Removed support
15
Back to basics - how to DAOS enable (missed?) non-DAOS’d Domino mail files the easy way
Mon, Nov 3rd 2014 4:06p   Darren Duke
I got this question from an STS customer: My question ... is there something I can run from the server console to make sure everyone is set up for DAOS or it is working for all mail accounts? Well, yes there is. Using a old Domino feature called Indirect Files, copy and paste and Excel. Let me show you how...... If you're on Domino 9 make sure to add the following to your server notes.ini, This will prevent compact from failing by preventing the Router from delivering mail to a co
22
STARTTLS and POODLE is this really an issue?
Thu, Oct 23rd 2014 10:28a   Darren Duke
I got an email for a customer the other day about mitigating POODLE with IBM's Lotus Protector for Mail Security (LPMS). There is a technote for this, 1687838. At the top there is an interesting warning: IMPORTANT: disabling SSLv3 for XMail may cause severe incompatibility problems with other MTAs that do not support TLS 1.x I was asked if this was an issue. My response: It depends on who you are STARTTLS emailing to.... This only affects domains that you have set as r
9
POODLE and SHA2 support coming to Domino
Tue, Oct 21st 2014 9:02a   Darren Duke
Behold, the silence has ended.....the crescendo that is IBM has finally lifted the veil on some fixes for some very large security holes....AFAIK these are native Domino fixes. I'm unsure of the protocols supported, but my understanding is all of them, but only time will tell. These are not available yet, but should be in "weeks"... First up, fix POODLE outlined in Technote 1687167. This is coming to: 9.0.1 FP2 9.0 8.5.3 FP6 8.5.2 FP4 8.5.1 FP5 I think that is every supported Domino
8
Here is a freely available VM to reverse proxy Domino - shoot the poodle
Wed, Oct 15th 2014 7:35a   Darren Duke
In an effort to help Domino customers mitigate the disaster that is the SSLv3 Poodle bug, I am providing the virtual machine liked at the bottom of this post. Note, you can also use the IBM HTTP Server bundled with R9 if you are on a Windows server....if that is the case, stop reading. YOU USE THIS POST AT YOUR OWN RISK. For professional services related to this contact STS Sales. Take backup copies of any files you change, including the Domino Directory. That way if you screw up......
10
So Domino and SHA2.....There’s a SPR for that
Wed, Aug 20th 2014 7:20a   Darren Duke
As some of you know, SHA2 support in the native Domino HTTP stack has been a bit of a fire starter of late. As IBM like to say "we've not heard that from our customers", here's your chance to change that. How do you do that? Simple, if you are able to create a PMR against Domino (if you're on support for Notes and Domino you can) and mention that you want SPR # ABAI7SASE6 (APAR LO48388) addressed. Here's link to the IBM support portal, so head on over there and create an PMR via an Elec
7
My customers don’t want Mail.Next
Tue, Aug 19th 2014 11:30a   Darren Duke
I have customers ranging from names you have heard of, to a few hundred seats, to 5 or less. I’m pretty sure that most customers I come into contact with are not on IBM’s radar. A few maybe, but most? Not so much. Some of them occasionally ask about “mail.next” but none are excited. You see, these customers are not cutting edge. They are not chasing the next shiny ball of tinfoil. They cherish stability. Not constant change. Not constant “vaporware” demos of stuff that most think f
11
How did I not know this feature of Windows existed? AKA - a useful tip
Fri, Aug 8th 2014 8:13a   Darren Duke
With a little over 18 months since I've had to produce weekly tips, you've most likely missed my gems (OK, some weren't gems, but you get what you pay for).... Anyway, this one is a gem, and I'm sure most of you know this but I surely did not. On any Windows folder, hold down the Shift key and right click you get these additional options added to your context bar: If you do anything with Websphere on Windows this will no doubt save you a ton of time, Again, how did I not know




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition