Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Traveler 9.0.1.3 server crashes when attempting to sync a MIME-formatted document missing a RFC822 header

Daniel Nashed  13 April 2015 09:05:51
You might want to wait updating your Traveler Server to 9.0.1.3 because of a MIME related bug that can cause crashes.
IBM now released a technote with official information about the issue --> Technote 21701590
If you already updated and have abnormal process terminations in the Traveler servertask you should not try to downgrade but instead request a fix from IBM (going back to an earlier version would cause a complete resync of all devices).


IBM is working on a 9.0.1.4 version with will -- according to the technote -- be released in April.


I am running 9.0.1.3 since it was released and did not yet run into a crash.
But if you did not update yet you should wait for 9.0.1.4.


-- Daniel

New Start Script Version 3.0 with systemd support released

Daniel Nashed  7 April 2015 10:12:21
There is a new version of the start script for Domino on Linux (also AIX and Solaris) that supports RHEL 7 and SLES 12 which a both now using systemd instead of the older init scripts.
When you are migrating to one of those platforms you have to switch to the new start script and also use systemd to start/stop your Domino server.

Also for the new versions of Linux the start script remains the main main entry point for all your operations with the server.
But for start and stop you will need root permissions or your Linux admin can allow you to use the start script with root permissions via "sudo".
The start script an invoke all the needed systemd commands to start and stop the Domino server. But you can also use the systemd commands instead.

I have updated and rewrote part of the documentation. If you are familiar with the start script already you should be aware that there are some changes.
There is a new "domino.service" file which represents the systemd service. You need one of those files for each partition along with the rc_domino file.
In the domino.service file there are references to the rc_domino_script which need to match the path where you have installed the script.
And also rc_domino needs information which service file should be used. By default the service name is commended out to work with previous versions.
If you are running with systemd you have to set the "DOMINO_SYSTEMD_NAME" variable to your domino.service.

The documentation contains information about all changes and there is a "systemd" section in the readme as well.

In addition I added an additional status command. "statusd" gives you the systemd status for your service.

And I have also added another not related command which I wanted for my own environments.

The "resources" command shows you all resources the server currently uses (processes, shared memory, semaphores, MQs ..).

Here is a link to the script page --> http://www.nashcom.de/nshweb/pages/startscript.htm
You can request the new version with the form that page.

There are also some other minor changes all documented in the version history.

If you have any questions let me know by mail.

Enjoy the new version

Daniel


DHA with more than 1024 key size and Java still works

Daniel Nashed  6 April 2015 22:58:19
As posted before Java 6 and 7 cannot handle DHE key sizes above 1024 bit.
The work-around was to limit the DHE key size via notes.ini parameter SSL_DH_KEYSIZE=1024.
But this reduced the key size for all other clients that used DHE as well.

There is another idea who to work-around this limitation.
Java does only support the following DHE cipher:

33 - DHE_RSA_WITH_AES_128_CBC_SHA

This is the weakest DHE cipher supported by Domino. If we disable this cipher, Java will not use DHE any more and we are not limited by the DHE 1024 bit key-size that is the maximum size that Java supports.

Disabling this cipher results in the following ciphers to be used. for Java For Java 8 a different DHE cipher is implemented and the 1024 does not apply for Java 8.

Java 6u45          TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128
Java 7u25         TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128

Java 8u31         TLS 1.2         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS         128


This sounds like a good work-around for the Java DHE key-size limitation.

The resulting cipher spec for DHE with all other recommended ciphers enabled is the following:

SSLCIPHERSPEC=9D9C3D3C352F0A39676B9E9F

For more details check my previous blog posts.

-- Daniel


New Version of KyrTool released

Daniel Nashed  3 April 2015 08:38:12
There is a newer version of the key ring tool that has been released on fix-central.

Here is the list of fixes for the newer version.
You should also update your client and server to the latest available IF because there are also fixes in the back-end for some issues parsing certificates.

By the way ... I really like the command line kyrtool. A couple of days ago a customer asked me for some maintenance of their existing key ring files.
Their CA expired and we had to remove the root CA from over 150 key-ring files.
Using a shell script in combination with the kyrtool allowed me to export the private key and certificates, use "sed" to modify the file, create a new key-ring file, re-import and verify the key-ring file.
We even dumped information about the keys, certs etc and validation of the key-ring files into a CSV file to have an overview :-)

-- Daniel
DKEN9U5UEX Fix crash if pem file provided as input file has embedded nulls
KLYH9UBNGW Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands
MKIN9QHT5W Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name
DKEN9RVQGD Fix kyrtool sometimes erroring on import all command



http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

    Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    Daniel Nashed  3 April 2015 08:15:05
    As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3.
    IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0.

    So once you update your server but not your client you cannot access your server over the server controller.
    If you update your server but not your client you are running in the same issue the other way round.

    The only solution was to have two separate clients for patched and unpatched servers.

    Ben Rose got a solution for this issue from IBM after escalating the problem.

    According to Ben there is a way to re-enable SSLv3 on your Notes client.

    You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole.

    Variable: JAVA_TOOL_OPTIONS
    Value: -Dcom.ibm.jsse2.disableSSLv3=false

    This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.

    Don't forget to remove the parameter once all your servers have been updated!

    Thanks Ben for insisting getting a solution and posting how to work-around the issue!

    -- Daniel



      Traveler 9.0.1.3 Available - Verse iOS - Trash folder sync - Invitee status - Android push notifications

      Daniel Nashed  2 April 2015 10:22:10
      Traveler 9.0.1.3 has shipped with a couple of interesting new features. And the what's new section does give you some interesting other hints.
      I have copied the what's new information to this document but want to give you some additional hints.

      We had many customer asking for Trash folder sync support. It was already included in a previous version but disabled by default -- apparently because they needed to do some more testing. Now it is enabled by default.


      The Google Cloud Messaging support (GCM) for Traveler Android clients can be very helpful to improve battery life because no active HTTP session is needed for push notifications.
       
      For GCM you need the following requirements:

      The IBM Traveler server will attempt to communicate with the Google Cloud Messaging service using host android.googleapis.com using port 443.   Make sure that your firewall allows this connection!!!

      For more details see --> https://developer.android.com/google/gcm/http.html

      The IBM Traveler server will not attempt to contact GCM until it has a reason to do so.  
      To verify that this connection is working, you should first connect an IBM Traveler for Android client from a device that is also logged in with a Google account.  

      On the Traveler server, run the command: tell traveler push cmstatus
      See details here --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/google_messaging.dita


      Traveler 9.0.1.3 does also support the new iOS Verse app which is currently in beta.

      The what's new section officially mentions it so I can officially speak about it.

      IBM Verse is available already but the iOS mobile client is not yet available.
      There will be a native iOS app that connects to IBM Verse and also to your Traveler servers.
      This Traveler version has official support for the Verse app.

      There is a site note that this is only supported when your Traveler server is running on top of Domino 9.0.1.
      I would always recommend to install the latest Traveler version along with the newest Domino release.
      Specially if you need TLS encryption you want to install the latest IF that introduced TLS 1.2 support for Domino.

      There are also a couple of additional fixes, list in the fixlist (see link at the end of the post)..

      You can download the latest updates using Fixcentral as usual.

      -- Daniel



      What's new in IBM Traveler 9.0.1.3

      IBM Traveler 9.0.1.3 delivers the following new features for its supported devices.


      IBM Verse for iOS client support

      If you are part of the IBM Verse for Apple iOS program, you can connect the IBM Verse app to this version of the IBM Traveler server.
      There are some differences in functionality when the IBM Verse app connects to this on premises version of IBM Traveler versus when it connects to Connections Cloud.

      Trash folder syncing

      Support for the syncing of the Trash folder is now available in the client. However, it is dependent on the IBM Traveler server also providing this support. When the client is running against a server that supports Trash, a Trash folder will appear in IBM Traveler Mail. Deleted items will appear in the Trash folder and may be restored or permanently deleted from the Trash folder.

      Invitee status

      As the meeting organizer or chairperson, you now can see the response status for the attendees of your meeting on your mobile device.

      Google Cloud Messaging support for IBM Traveler for Android clients

      This version of the IBM Traveler server can now use Google Cloud Messaging (GCM) for real time push notifications to keep your Mail, Calendar, Contact and To Do data on your IBM Traveler for Android clients up to date. Using GCM can greatly improve the battery life of Android devices using IBM Traveler, as IBM Traveler no longer needs to stay constantly connected via HTTP to the IBM Traveler server for push notifications.

      For more information, refer to Google Cloud Messaging for IBM Traveler for Android clients and How do I configure automatic syncing on a Android device?.

      Expanded Domino server support

      This version of the IBM Traveler server can now be installed on 3 different base Domino servers:

          IBM Domino 8.5.3 with Upgrade Pack 1 installed (excluding IBM Traveler for iSeries)
          IBM Domino 9.0
          IBM Domino 9.0.1

      In the past, the IBM Traveler server could only have been installed on the latest Domino release. But now the IBM Traveler installer is able to detect which of the above Domino versions the IBM Traveler server is being installed onto, and install the appropriate binary files for that version. There are some limitations when running on a Domino 8.5.3 server versus a Domino 9.0.1, and the recommendation is to install the Traveler server on a Domino 9.0.1 server to gain access to the largest set of Traveler server features.

      IBM Traveler for iSeries must be installed on a Domino 9.0 or Domino 9.0.1 server.

      The IBM Verse client is only supported when Traveler is installed on a Domino 9.0 or Domino 9.0.1 server.
      Note: If you change the version of Domino server after installing the Traveler server, you must re-install Traveler again. All data will be preserved, but the re-install is required so that Traveler installs updated binary files that match the updated Domino server.


      Links:

      What's new in IBM Traveler 9.0.1.3

      https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/Whats_new_in_Lotus_Notes_Traveler_9.dita

      Fixlist:

      http://www.ibm.com/support/docview.wss?uid=swg21700212

      engage conference security presentation

      Daniel Nashed  1 April 2015 12:24:03
      Yesterday at engage conference in Ghent (http://www.engage.ug/) I gave an updated presentation based on the ConnectED 2015 presentation.
      I added most of the new notes.ini parameter and also information how to enable those new ciphers and rewrote/reordered a bunch of slides and added more information after the latest IF has been shipped.


      During the conference I got the question what I would recommend .
      Here is what I would recommend for the latest fix -- which is sort of a short summary of the presentation.


      By the default some of the new ciphers are already enabled. And all other security functionality introduced is enabled by default. I would recommend not to disable them if you don't really need to.

      There are a couple of options that you might still want to consider based on your environment.


      Note: The current IF does completely ignore all SSL settings in the server/internet site doc.
      With previous fixes you have been able to specify the ciphers still in the server/internet site doc but it was recommended to already make changes using the SSLCipherSpec described in the presentation.



      -- Disable SSLv3 --


      I think it is time to completely disable SSLv3 on Domino because almost all applications and browsers support at least TLS 1.0


      notes.ini DISABLE_SSLV3=1



      -- Re-Enable SSL V2 HELLO if you really have to --


      If you are running a public SMTP Server you don't control what you customers, partners and other do with their SMTP servers.

      In some cases they are still using an older version which still tries an old SSL V2 HELLO.

      By default Domino has this old version of the handshake disabled.
      As blogged before you can re-enable it since the previous IF with the following notes.ini variable.


      notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1



      -- Enable DHE Ciphers if you need "PFS" --


      If you are interested using the new PFS ciphers I mentioned in my last blog post (DHE ciphers which will provide PFS for most clients) you really have think about balancing higher overhead in CPU and maybe slower response time with security.

      You could enable it and check what additional CPU overhead you have afterwards.


      A good cipher spec to configure in that case would be:


      notes.ini SSLCipherSpec=
      9D9C3D3C352F0A3339676B9E9F

      This would give you the currently enabled default ciphers + the new DHE ciphers which are not enabled by default for performance reasons.


      9D = RSA_WITH_AES_256_GCM_SHA384

      9C = RSA_WITH_AES_128_GCM_SHA256

      3D = RSA_WITH_AES_256_CBC_SHA256

      3C = RSA_WITH_AES_128_CBC_SHA256

      35 = RSA_WITH_AES_256_CBC_SHA

      2F = RSA_WITH_AES_128_CBC_SHA

      0A = RSA_WITH_3DES_EDE_CBC_SHA


      New DHE ciphers (for PFS support) not enabled by default


      33 - DHE_RSA_WITH_AES_128_CBC_SHA

      39 - DHE_RSA_WITH_AES_256_CBC_SHA

      67 - DHE_RSA_WITH_AES_128_CBC_SHA256

      6B - DHE_RSA_WITH_AES_256_CBC_SHA256

      9E - DHE_RSA_WITH_AES_128_GCM_SHA256

      9F – DHE_RSA_WITH_AES_256_GCM_SHA384



      -- In case of Java Apps reduce the DHE Key Size used --


      In addition if you have Java applications accessing your server they will use the DHE ciphers.

      But Java 1.6 and 1.7 do only support key length up to 1024 bit.

      So in that case you have to reduce the key length for the DHE ciphers (which will let the DHE ciphers be rated as sort of "weak" by some SSL testing sites).


      notes.ini SSL_DH_KEYSIZE=1024



      -- Get a proper SHA-256 based Certificate --


      In addition you have to ensure that you are using a proper SHA-256 based certificate.


      That's a very short summary or recommendations from my presentation depending on your needs.


      You should be careful when you disable some of the default ciphers.

      All of them are currently rated as secure. And if you disable cipher you could end up having no cipher in common for one of your SSL clients.


      I hope this short summary is helpful.


      -- Daniel

      First Perfect Forward Secrecy Ciphers shipped with 9.0.1 FP3 IF2

      Daniel Nashed  30 March 2015 13:14:58
      As posted before IBM shipped a new IF (9.0.1 FP3 IF2/IF3) that introduces TLS 1.2 Along with this new version a set of ciphers have been added.
      Some of them are enabled by default and other can be enabled using notes.ini settings.

      Other ciphers that are regarded as "weak" have been removed from the default cipher list.


      Update: Also check for additional information in the new Wiki article -->
      http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

      So by default without any additional settings you get the ciphers that IBM currently recommends.

      What has been added to the default are the AEAD (AES-GCM) ciphers -- see details below.


      There are additional ciphers that will provide "Perfect Forward Secrecy" (PFS) for some platforms/browsers.


      IBM implemented Ephemeral Diffie-Hellman (DHE) ciphers. Those ciphers are used by many but not all platforms.

      That's why even if you enable them you the SSL Test Site will not give you a better rating because not all the reference browsers will use PFS.


      In addition those ciphers have a higher overhead to your Domino Server. Therefore IBM left the decision which cipher to add to administrators.

      You have to find the right balance between security and performance.
      Probably on a smaller server it will not have that much overhead. But on a larger server you might want to take special care and watch the CPU load of your server before and after you enabled the DHE ciphers!


      The current default setting is that the cipher order on the server takes preference.

      As mentioned before all the fixes currently have no design change because that will have to wait until 9.0.2.

      Therefore also the cipher spec has to be enabled using notes.ini settings as already described in our ConnectED presentation.


      There is a notes.ini setting described in a recent Wiki entry. Each cipher has an internal reference number that is standard.

      Domino uses the two digit hexadecimal number to specify the ciphers you want to have enabled on your server.

      The order of entries does not matter. You just have to make sure that you always use a two digit value per cipher -- even the cipher itself might have just one hex digit.

      There is no space between the cipher numbers.



      Here is what you get by default without any changes:


      SSLCipherSpec=9D9C3D3C352F0A


      9D = RSA_WITH_AES_256_GCM_SHA384

      9C = RSA_WITH_AES_128_GCM_SHA256

      3D = SA_WITH_AES_256_CBC_SHA256

      3C = RSA_WITH_AES_128_CBC_SHA256


      35 = RSA_WITH_AES_256_CBC_SHA

      2F = RSA_WITH_AES_128_CBC_SHA

      0A = RSA_WITH_3DES_EDE_CBC_SHA



      In addition to that you have the folllowing new DHE ciphers available.


      33 - DHE_RSA_WITH_AES_128_CBC_SHA

      39 - DHE_RSA_WITH_AES_256_CBC_SHA

      67 - DHE_RSA_WITH_AES_128_CBC_SHA256

      6B - DHE_RSA_WITH_AES_256_CBC_SHA256

      9E - DHE_RSA_WITH_AES_128_GCM_SHA256

      9F - DHE_RSA_WITH_AES_256_GCM_SHA384


      So as an example when you want to enable all DHE ciphers and keep the other ciphers you set the following notes.ini setting and restart the servertasks like http.



      SSLCipherSpec=9D9C3D3C352F0A
      3339676B9E9F

      So you could add those ciphers to your cipher list using the notes.ini setting.

      Once you are done you can use the SSL Labs Test Website
      https://www.ssllabs.com/ssltest/ to check if the ciphers are properly configured.
      What is nice on the website is that the website will "simulate" which client type will probably use which type of cipher when connecting given the current settings of your server.


      Now you should have all the default ciphers and the DHE ciphers enabled.


      You should take special care which ciphers to disable because you could block out certain devices types.


      When testing with the SSL Tabs Test and also using Java applications I noticed that they will pick the DHE ciphers.

      But Java 1.6/1.7 does currently not support more that 1024 bits. By default Domino uses higher key-length.


      So Java sees that DHE ciphers are enabled and will try to use them. And it does not check before using it that it cannot handle larger key sizes than 1024.


      That means if you enable DHE ciphers you might have to consider to lower the key-length used.
      If you change the key-length to 1024 the SSL Labs Test site will report that your key is "weak".


      So you have to balance lower security with compatibility at this point.


      There is a notes.ini setting to specify the key-length for DHE ciphers.


      You could set notes.ini SSL_DH_KEYSIZE=1024 to resolve this incompatibility.


      There have been also discussions about other PFS ciphers that are used by other applications like older IE versions.


      "Elliptic Curves ciphers" (ECDHE..) are supported by older IE versions and by Windows mobile.
      But they are currently not implemented on the Domino side.


      All the development work in this area based by priorities and demand. And IBM is releasing it step by step with IF fixes.

      It's not confirmed IBM is working on those type of ciphers. I just wanted to mention it to explain why not all platforms will use PFS ciphers when you enable the DHE ciphers.

      Also the ECDHE ciphers have better performance than the DHE ciphers. But the first priority was to implement the DHE ciphers because most platforms support it.

      This was for sure not the last functionality update we get via a IF. I am looking forward to see that is next on the list.


      Not all of the notes.ini settings are documented yet. I expect that IBM will publish another Wiki article soon.

      I might update this blog entry or have a more complete article with more details as soon more information is available.


      -- Daniel

      Domino 9.0.1 FP3 IF3 is about to ship

      Daniel Nashed  29 March 2015 12:33:52

      Updated post:

      IF2/IF3 already shipped. There is also a Wiki articile describing the changes.

      The Fixlist for IF2/IF3 is confusing but it looks like the Wiki article explains it.


      -->
      http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2

      The fixes have the release date of 27.3. the client fixes are labled "IF3", the server fixes are labled "IF2".


      Here is what the fixlist says and see my comments in-line.
      You should also read the Wiki entry which will hopefully also have the settings for the PFS ciphers soon.


      Update: Also check for additional information in the new Wiki article --> http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration


      I have installed 9.0.1 FP2 IF2 on my production Linux Server.

      And I can confirm that TLS 1.2 is implemented in this version and it looks like just the fixlist is confusing.

      The fixes listed in the fixlist section "IF3" are included in server fixes labled "IF2". The right client release is "IF3" in contrast.


      Without any additional settings this brings you to TLS 1.2 support with the following ciphers which brings Domino to a "A-" rating.


      TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
      TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
      TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
      TLS_RSA_WITH_AES_256_CBC_SHA    (0x35)
      TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

      TLS_RSA_WITH_AES_128_CBC_SHA    (0x2f)
      TLS_RSA_WITH_3DES_EDE_CBC_SHA   (0xa)


      The "A-" is because of missing PFS support for reference browsers.


      As mentioned in the wiki article and also in the fixlist IBM also implemented some PFS ciphers.

      "Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE)"


      But those ciphers are disabled by default because they have higher overhead on the server and client side.
      I will have a separate post for the PFS cipher support as soon official information is available.


      Here is the commented SPR list

      9.0.1 Fix Pack 3 Interim Fix 2 SPR #PSIH9SSAHC
      /  
      http://www.ibm.com/support/docview.wss?uid=swg21698994

      -- PNG Vulnerability --


      libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data.
      A remote attacker could exploit this vulnerability using a "very wide interlaced" PNG image to overflow a buffer and execute arbitrary code on the system or cause a denial of service.

      You should wait for IF3 planned to be released very soon. The SPR list for the fix is already public and the IF will contain a couple of important fixes and new TLS 1.2 support including new ciphers.


      Enclosed you find the current list. The information about how to enable those new ciphers are not yet released. I post information about those new settings and will comment on them as soon they are released.


      IF3 will contain a couple of pending fixes for other issues. For example the fix for the Google Calendar Feed in the Standard Notes Client which broke because of the change on the Goodle side.



      Here is a commented fix list for IF2/IF3:



      -- 9.0.1 Fix Pack 3 Interim Fix 3 --


      KLYH9UBNGW

      Add pinning to SHA-256 for TLS 1.2        

      KLYH9URNJH

      TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available        

      KLYH9URNFY

      TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client        

      --> There have been issues specially with TLS SMTP Connections. Those two fixes help to connect even in those cases.



      KLYH9UQJQN

      Remove RC4-SHA from the default cipher list for TLS 1.2        

      --> RC4-MD5 have already been removed before. Now also the SHA based version is rated as weak on the Domino side and disabled by default


      RKUR9PEDEB

      Implement HSTS (Http Strict Transport Security).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS)        

      --> On a server that only allows authenticated connections I would only enable the SSL port and disable port 80 in general.
      We have to wait for the full documentation to see in which condition the header is automatically set.
      It should be automatically send when only HTTPS is enabled.


      RGET9TSMKD

      Add IP Information to HTTP Thread logs for SSL Handshake connections        

      MKIN9QHT5W

      Passing a directory to kyrtool will crash the tool        

      DKEN9RVQGD

      kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part        

      --> there have been a couple cases where certificates could not be parsed correctly. This fix should solve those issues.


      DKEN9SSUR6

      Add more detailed logging for SSL/TLS connections to help diagnose failed connections        

      --> More detailed information is important for figuring out what is going wrong in some cases.

      KLYH9UFNWH

      New notes.ini SSL_DISABLE_TLS_10 to support Disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP        

      --> For now I would disable SSLv3 only and keep TLS 1.0 enabled unless you are working in an controlled environment like an intranet and you know exactly that all clients support TLS 1.2.


      KLYH9QKTGH

      Added SHA-256 cipher specs for increased security with TLS 1.2        

      KLYH9QKTED

      Added Advanced Encrption Standard (AES) Galois/Counter Mode for increased security with TLS 1.2        

      --> New AES GCM ciphers. I will post details how to enable them as soon the exact implemented ciphers have been documented.

      There will be documentation which ciphers are enabled by default and how to enable other ciphers.


      KLYH9QKTBL

      Added Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS        

      --> New DHE ciphers which introduce PFS -- Perfect Forward Secrecy. I will post details how to enable them as soon the exact implemented ciphers have been documented.

      There will be documentation which ciphers are enabled by default and how to enable other ciphers.


      PFS is an important addition to allow more secure connections. This ensures that traffic cannot be recorded and decrypted later when the private key of one side gets compromised.



      KLYH9QKT4B

      Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP        

      --> Support for TLS 1.2!!! That was announced at ConnectED to be available in Q1. Thanks to IBM and the team working on it.


      HCHC9GG66F

      Administrator Client Shows Wrong File Sizes of database with DAOS size>0 After Server Restart        

      IFAY9QZGKG

      Getting Error When Using Google calendar Feeds         - Standard Client Only


      --> Important client side fix for Google Calender integration which broke because of changes on the Google side


      TTAN8YRHD9

      [WINDOWS ONLY] - Additional Time Zone For Salvador & Buenos Aires Shows Incorrect Time - Standard Client Only

      Find us at Engage Conference next Week

      Daniel Nashed  26 March 2015 10:32:33
      Next week many of us are travelling to Engage conference in Ghent.
      I am already looking forward to an interesting conference and hopefully will see many of you there.

      My presentation will be an updated version of the IBM Security Best Practices session Dave Kern and me presented at ConnectED conference in Orlando.
      I will speak about the current status and the new stuff coming in end of Q1 in the area of TLS, SHA-256 and related security topics.

      And as mentioned before I am working on RHEL 7 and SLES 12 systemd support for my Domino start script.
      If you have questions or feedback please find me at the conference.

      Also if you are interested in Domino on Linux you should attend Bill Malchisky's session "Title: Adm03.The BASHing Admins: The ICS Shell Scripting Class".
      He will also will use the current version of my Domino start script in his session and will show some interesting stuff that is usefully for your daily Domino on Linux administration work

      Here is a link to the track that includes our presentations.

      http://engage.ug/engage.nsf/pages/Event20150330_Sessions4

      -- Daniel