Daniel Nashed 21 October 2014 19:20:27
IBM has officially responded to the POODLE attack and also officially responded to newer crypto standards.
Very good news for Domino! IBM will introduce TLS 1.0 and SHA-2 support for all protocols soon!
The current technotes mention a very short timeframe and it looks like we are going to get fixes at least for the current Domino 9.0.1 code stream.
Some fixes will be also in the 8.5.x code-stream but some of the improvements like SHA-2 support cannot be back ported.
So you should be prepared with all your internet facing servers to deploy 9.0.1 with current fixpack 2!
IBM will introduce support for the current standards soon which will also address the POODLE attack.
IMHO the risk right now is not very high and and most of the HTTPS internet facing servers for larger companies already use Secure Reverse Proxies.
And you might need to have a closer look into what crypto levels those server currently support! You should disable SSL 3.0 on all servers as far as it is currently possible. This is not just true for Domino.
IBM is working on improving the crypto "stack" (part of the lower network layer -- "NTI" which is the base for all Internet protocols and this includes in consequence also the keyring file used to store your internet certificates) in Domino in a short timeframe.
Enclosed you find links for the two new technotes which provide details about what IBM is working on...
We have been asking for years specially for TLS 1.0 and higher support for SMTP. Now it looks like we are getting it also for all other internet protocols!
That's really great news!!
How is IBM Domino impacted by the POODLE attack?
Planned SHA-2 deliveries for IBM Domino 9.x
- Comments