IBM Domino 9.0.1 IF2 available with TLS 1.2 !

IBM has released on fixcentral the new IF2 for Domino 9.0.1 FP3 and IF3 for Notes 9.0.1 FP3 with some fixes and the implementation of  TLS 1.2 !!

Below you can see the complete  change log of fix for Domino

LCHG9UPBFM	IBMi:TLS1.2 support for system SSL on IBM i Domino
KLYH9URNFY	TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client
KLYH9URNJH	TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available
KLYH9UQJQN	Remove RC4-SHA from the default cipher list for TLS 1.2
KLYH9UPMR7	Crash Problem in kyr caching
RKUR9PEDEB	Implement HSTS (Http Strict Transport Security).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS)
RGET9TSMKD	Add IP Information to HTTP Thread logs for SSL Handshake connections
MKIN9QHT5W	Passing a directory to kyrtool will crash the tool
DKEN9RVQGD	kyrtool import all sometimes reports SECIssUpdateKeyringPrivateKey returned error 0x0720, AVA separator not found or Syntax error in OID when a \ is in a certificate name part
DKEN9SSUR6	Add more detailed logging for SSL/TLS connections to help diagnose failed connections.
KLYH9UFNWH	New notes.ini SSL_DISABLE_TLS_10 to support Disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP
KLYH9QKTGH	Added SHA-256 cipher specs for increased security with TLS 1.2
KLYH9QKTED	Added Advanced Encryption Standard (AES) Galois/Counter Mode for increased security with TLS 1.2
KLYH9QKTBL	Added Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS
KLYH9QKT4B	Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP
KLYH9UBNGW	Add pinning to SHA-256 for TLS 1.2
RMAS9PFRHP	Namelookup retrieval via remote LDAP does not retrieve correct attributes
HCHC9GG66F	Administrator Client Shows Wrong File Sizes of database with DAOS size>0 After Server Restart

In this page you can find also the change log for Notes and all the download links.

If you have configured  any internet protocol on your server , plan the upgrade to this IF soon as possible !

Domino Vs Padding TLS vulnerability , new security fix released

Yesterday  IBM has released this security bullettin where is confirmed  Domino ( 8.5.x e 9.x) is affected by TLS Padding vulnerability but also has released a new fix to address that issue !


Below you could find the download link, happy fixing and happy holiday !

• 9.0.1 Fix Pack 2 Interim Fix 3 - http://www.ibm.com/support/docview.wss?uid=swg21657963
• 9.0 Interim Fix 7 - http://www.ibm.com/support/docview.wss?uid=swg21653364
• 8.5.3 Fix Pack 6 Interim Fix 6 - http://www.ibm.com/support/docview.wss?uid=swg21663874
• 8.5.2 Fix Pack 4 Interim Fix 3 - http://www.ibm.com/support/docview.wss?uid=swg21589583
• 8.5.1 Fix Pack 5 Interim Fix 3 - http://www.ibm.com/support/docview.wss?uid=swg21595265

IBM Domino TLS and SHA-2 support , bye bye Poddle we have the fix

IBM in last days has released 2 high important fix who insert support for TLS 1.0 on all protocol (HTTP, LDAP, IMAP, POP,SMTP)  for this Domino release version 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5 and also insert the support for SHA-2 certificates.

This is the compleate features list:

Added support for TLS 1.0:

• Inbound and outbound connections
• Over all protocols (HTTP, SMTP, LDAP, POP3, IMAP & DIIOP)
• All platforms including support for IBM iSeries running System_SSL
• SSL/TLS Session resumption
• Client certificate authentication
• TLS protocol support for TLS_FALLBACK_SCSV Signaling Cipher Suite Value to protect browser clients that also support TLS_FALLBACK_SCSV against downgrade attacks.
• Will negotiate from TLS 1.0 and SSLv3 if other party does not support TLS 1.0. Note that protocol version *negotiation* is a different thing entirely from protocol *fallback*, as described in POODLE.
• The cipher suite list offered by Domino when making outbound connections has been re-ordered to place the AES ciphers first.
• Serviceability enhancements to make logging more thorough and easier to read and understand

Removed support:

• SSLv2
• SSL renegotiation has been disabled
• All weak (<128 bits) cipher suites have been disabled

Here a link to the wiki article for TLS fix

The SHA-2 support was insert through a new command line tool named Kyrtool  who could handle SHA-2 request and import SHA-2 certificate in Domino kyr files.
This tool could work only with Domino 9.01 FP2 IF1 and 9.0 IF6 , so here you have another reason to upgrade your Domino environment to 9 if you are still on older release !

Firefox users unable to connect to self-signed or Domino-based SSL

Firefox 31 has introduced new SSL library (activated by default) that generate SSL error when user attemps to access a Domino server with SSL self signed certificate.

The error is (Error code: sec_error_ca_cert_invalid)

IBM in this technote explain some workaround to this issue and recommend the use of Firefox ESR.

Firefox ESR in last days was updated to version 31 (and also use this SSL library) but the 24.7 is still available because the support will end with 24.8 next September.