|Latest 7 Posts
| 2016 the annus horribilis review|
Mon, Dec 19th 2016 6
| Renewing LetsEncrypt SSL certificates automatically with NginX|
Fri, Dec 9th 2016 11
| WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’|
Mon, Oct 31st 2016 6
| Switched to Let’s Encrypt for the blog SSL certificate|
Wed, Sep 21st 2016 7
| iNotes and IE Standards mode now seems to work in 9.0.1 FP7|
Wed, Sep 14th 2016 8
| 9.0.1 FP7 and how to enable the new port encryption settings|
Wed, Sep 14th 2016 5
| The last ever (no really....) This Week In Lotus has been posted, number 115|
Tue, Sep 6th 2016 3
| How to disable SSLv3 in Domino|
Fri, Dec 12th 2014 14
| The Domino fixes for POODLE and TLS, you may not be done yet|
Tue, Nov 4th 2014 11
| Renewing LetsEncrypt SSL certificates automatically with NginX|
Fri, Dec 9th 2016 11
| iNotes and IE11 - yes it is supported|
Tue, Mar 18th 2014 10
| On Domino 9? Have a cluster? You’re using DBMT right?|
Wed, Mar 19th 2014 10
| If you are using my Reverse Proxy, please change the SSH host key|
Wed, Jan 14th 2015 9
| TLS 1.2 in Domino and the settings I use|
Mon, Apr 6th 2015 9
| Addendum to my Domino DBMT post (well, a correction)|
Tue, Apr 8th 2014 8
| So Domino and SHA2.....There’s a SPR for that|
Wed, Aug 20th 2014 8
| Do IBM test any of their stuff anymore? IBM Mobile Connect installation woes|
Wed, Jul 8th 2015 8
||TLS 1.2 in Domino and the settings I use
Unless you have been living under a rock somewhere you no doubt know that IBM finally gave use TLS 1.2 for IBM Domino servers. This means that Domino servers can now use SSLv3, TLS 1.0 and TLS 1.2. But it's IT, so just because you can does not mean you should......for example I would suggest most servers (I'll get the outliers further down the page) would probably want SSLv3 disabled. If you have been under a rock, then you need Domino 9.0.1 FP3 IF2 to get this new goodness.
Now this fix is only for Domino 9.0.1 FP3, so now you have a further reason to upgrade to R9 (SHA2 wasn't enough?) and is provided as an IF from fix central. There are other goodies in this release too like additional ciphers and forward secrecy (aka FS). Forward secrecy? Yes...via Wikipedia:
In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS and also key erasure) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
However (there's always a however), IBM has chosen to not enable FS by default. This is due to IBM not knowing how crap your servers are, as FS is "resource intensive". If you have crap servers, like a Pentium II running your production environment then FS is not for you (neither is IT for that matter). If you running a pretty recent CPU and plenty of RAM, then you should be OK. And you really want FS.....no really, you do.
So you've decided that your server hardware is up to the task, what do you do to get FS and the promise of Angels singing and the cries of despair from hackers now thwarted? Well you have use Notes.ini settings. See IBM are doing good stuff here....they are giving us new, very important features in fix packs and IF's....the cost of that is there are not yet any UI equivalents in the server and config docs yet. I'm good with that, good on yer IBM.
A few blog posts back, I mentioned the SSLCipherSpec notes.ini setting and it is this setting that once again gets to do all the work. Here's the thing though.....I would change the values in this setting based on the use of the Domino server. I'm not convinced there is "one setting to rule them all yet". I would suggest to you, dear reader, that a Traveler server needs different settings to a iNotes server which is different to a SMTP gateway server. Before that go read Daniel Nashed's excellently detailed post on all the new ciphers then come back here.....
Remember, SSLCipherSpec will be used despite what you have in the server or internet document and it is server wide.
iNotes with XP and IE support
Let's start with iNotes. Some organizations still need XP with IE support. Yes they do. Get over it. This is a conniption free zone with regards to XP. If you do need XP with IE then use TLS 1.0 with Triple DES. Why? Well XP with IE does not support AES, so that cipher is out, RC4 is now frowned upon so that cipher is out, leaving us with 3DES. Given the use of XP with IE support and FS on other platforms, I would suggest this cipher list for an iNotes server and you'll get a A- on SSL Labs:
(Firefox and Chrome on XP do not have the same issues as IE)
iNotes without XP and IE support
Drop the 3DES cipher (0A), but SSLv3 still disabled, and get a A- on SSL Labs:
Same as iNotes with no XP support:
SMTP Domino Gateway
This is where it gets tricky if you're using STARTTLS (you are using STARTTLS right?) or your iNotes server is also your SMTP gateway. I would love to be able to say kill off SSLv3 but that's only a decision you can make based on your findings of what breaks when others try to send you TLS messages, but I don't think there is one size fits all here. I would start with this and adjust as necessary (you may need to add RC4 ciphers back in):
or (with SSLv3)
or (with SSLv3 and RC4):
Domino LDAP for LDAPS Dir Sync
If you using any type of LDAP sync with cloud based services for things like Spam protection then this is difficult. You just need to try it and see. For instance SpamHero (which I like a lot...) only uses SSLv2 (yes....T. W. O) last I checked. I did email them for clarification and they did say they are addressing this. I have not checked in a few weeks. So if this is the case, you cannot go above 9.0.1 FP2 for this server. Again, test. adjust, test again, repeat
You may be wondering about the "A-" on the SSL Labs test. Well, it's to do with older browser support for FS and IBM choosing to not (yet?) implement ECDHE ciphers. I hope at some they will reconsider this as this does seem to be the current trend in ciphers, and well, we don't want to be left a decade or more behind again, right? I wonder what the (now new) top ranked,, not fixed PMR is now?
So there you have it. TLS 1.2 support in Domino. Not quite as simple as you thought.
TLS/SSL support history of web browser - Wikipedia
Domino TLS Cipher Configuration - IBM
Apr 06, 2015
| Recent Blog Posts
2016 the annus horribilis review|
Mon, Dec 19th 2016 2:30p Darren Duke
Firefox started at 43, ended at 50 (they are slowing down....) Chrome started at 47, ended at 55 (they are speeding up....) IE....you know what? F**k IE. Still using Chrome as my primary browser, although Vivaldi is slowly taking over Didn't go Connect 16. Won't be at Connect 17. I already know what's going to happen....IBM is going to tell you about all the products that they promise * cognitive* is being added too. Like Verse (2 years ago?) and Toscana. "No, really we are" the
Renewing LetsEncrypt SSL certificates automatically with NginX|
Fri, Dec 9th 2016 4:06p Darren Duke
A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly). Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps. If you manually run the renew.sh on the server without these additional steps thi
WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’|
Mon, Oct 31st 2016 10:14a Darren Duke
A long time ago, before IBM came down like a hammer, there was a podcast. We really enjoyed doing This Week In Lotus, but it became a bit untenable as IBM threatened all kinds of stuff (including revoking *my* Champion status.....) so we stopped. But IBM kept doing "WTF?" kinds of things.....canceling 9.0.2, going to fix packs only, spreading Java 8 out over a year (from now). After getting together at MWLUG, Stuart and I started to reminisce and we started thinking about saddling up again.
Switched to Let’s Encrypt for the blog SSL certificate|
Wed, Sep 21st 2016 12:25p Darren Duke
I had switched the blog to SSL a while back (mainly due to Google threatening that non-SSL website will take a hit in searches). At the time Let's Encrypt (the free, yes free, CA SSL issuer) was just getting started and didn't have roots published to most of the browser root stores. Because of this I went with free certificate available from Start SSL. I'm not disappointed with StartSSL, it's just time to try something else when the StartSSL certificate expired. In fact if you need anything
iNotes and IE Standards mode now seems to work in 9.0.1 FP7|
Wed, Sep 14th 2016 10:28a Darren Duke
I had praised, then lamented the new-ish iNotes forms templates that allow you do copy and paste images from the clipboard into IE. Well, with FP7 IBM (so far) seem to have addressed the issue search issue that forced me to disable this again. It's now back on for my servers. Let's see how long before I lament this again. It is probably work pointing out that Ulrich Krause is reporting issues with the "normal" iNotes forms9.nsf shipped in FP7. I have not seen the issue he reported in t
9.0.1 FP7 and how to enable the new port encryption settings|
Wed, Sep 14th 2016 4:59a Darren Duke
9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page. So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined thi
The last ever (no really....) This Week In Lotus has been posted, number 115|
Tue, Sep 6th 2016 9:26a Darren Duke
Stuart, myself and Jesse Gallagher join for the weekly bi-annual podcast for one last time....listen to it here: http://thisweekinlotus.com/115-doing-a-three-way/ There is also an exciting announcement at the end.....
Using Hawthorn gold code? Want IBM to add SQL Server support? Here’s the SPR you’ll want to add your name to....|
Mon, Aug 29th 2016 2:09p Darren Duke
Hawthrorn 2.0, AKA IBM Mail Support for Microsoft Outlook, AKA IMSMO has recently been released. One of the main install differences between GA (2.0) and LA (1.0) code is that GA requires use of IBM DB2 as a state store for the IMSMO Domino server (whereas 1.0 had no such requirement). Most organizations can count on the fingers of no hands how may DB2 servers they have, so you'd expect IBM to support MS SQL server right? You'd be wrong. You along with me are a moron, and no one's ever ask
There is no 9.0.2. Dead. Canceled. Killed. |
Wed, Aug 24th 2016 3:26p Darren Duke
Originally 9.0.2 was scheduled for release in late 2015. Then February 2016 (this would have been 28 months since 9.0.1 shipped) Then 2H 2016. Then 2017. Now, well, never (if the scuttlebutt at MWLUG is to be believed, and I do believe it). It was pushed for many reasons, notably to get Verse out of the door. As I mentioned in this post (9.0.2 where for art thou?) and this one (my customers don't want mail next) I've ranted and raved about this before. To no avail. Well,
Unable to view embedded SlideShare presentations in Chrome? Try this.....|
Mon, Aug 22nd 2016 4:34p Darren Duke
The first page of the presentation displays fine, but you can't navigate to any other slide or use any other actions (like the image below): The fix it is to allow 3rd party cookies from SlideShare.net. You can do this in the Chrome settings page, like this: Then, manage exceptions: Add the following to the hostname pattern: [*.]slideshare.net Like this: You can now navigate embedded SlideShare presentations.