It's no longer safe to use SSL on Domino without upgrading to version 9.0.1 FP2 IF1, version 9.0 IF6 or newer.
There is also a new tool for creating and handling the SSL-keyring. This tool is only relevant when you have to import a SHA-2 certificate. Your existing keyring will still be usable with an upgraded Domino server.
A few weeks ago we upgraded Domino servers at Semaphor and tested the quality of our SSL-implementation along the way (using Qualys SSL LABS's SSL Test).
Before upgrading to version 9.0.1 FP2 IF1 the score was F :-( The good news is that just by upgrading the server, this score was changed to C which is a lot better, but still vulnerable to the POODLE-attack, which was the primary reason for IBM to create the fixes and introduce the new KyrTool.
The old ciphers in the server-document or the WebSite-document has to be removed to avoid the POODLE-attack. You should only leave these 2 ciphers:
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
Now the servers score at the SSL Server Test will be B and you have avoided the POODLE-attack.
The next time you'll have your certificate reissued, it must be a SHA-2 certificate and then you will need to use the KyrTool when importing the certificate to the ring, unless IBM has provided an upgrade to the Server Certificate Admin database by then.
nginx
If you want better SSL-security than this (score A or A+ from the SSL Server Test of Qualys SSL LABS), or if you want to secure an older version of Domino, you should install the reverse proxy server nginx in front of your Domino server. I can recommend doing this either way!
Links
Other usable links when avoiding POODLE in Domino:
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool
http://www.thenorth.com/apblog4.nsf/0/A06025F72D53BAE685257D8C00724FD4
http://planetlotus.org/profiles/darren-duke_129563
Please feel free to comment this blog post or to contact Semaphor (through web or mail) regarding Domino and SSL/TLS.
BR Tobias :-)
0 Comments