Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Cluster Failover on W2008 and higher - disable Port Stealth Mode

Daniel Nashed  21 November 2015 09:34:21
I should have blogged about this earlier. It was in my 2013 IBM Connected presentation but beside the TN and my presentation there is not much information.
If you are using Domino clustering on Win2008 or higher you should really disable the port Stealth mode!

This week I ran into a customer crash situation with repeated crashs which took a while to fix.

The failover on their Win2012 R2 servers was painful slow.

In Win2008 Microsoft introduced a feature called the Port Stealth mode.

This new "security feature" is enabled by default and is independent from the Windows Firewall.

If Domino does not listen any more for NRPC port 1352 Windows will discard all TCP IP packets for new and also existing connections.

That means the Notes client still thinks that the server is there and tries again to send TCP packages until the TCP timeout is reached.

The client is hanging for 30 up to 60 seconds until the failover occurs because Windows does not reject the packages from the client.

Once you disabled the Stealth mode via registry values, the client failover is again almost immediate.

You should also enable silent cluster failover in the desktop policy to avoid any prompts and the failover is almost seamless in most of the cases.

And in current Domino releases the client will also fail back to the home-mail-server later on.

To disable the port Stealth mode you have to set the registry values mentioned in the technote and we had to restart Windows to ensure the settings have effect.

Registry Settings:










IBM Technote -->

The IBM TN is referencing the following Microsoft Technote -->

DNUG Domino Day in Düsseldorf

Daniel Nashed  18 November 2015 17:32:57
Last call! In case you did not know yet.
There is a new type of event organized by DNUG next Tuesday.
I am very interested to see how the feedback to this new event type is.

The event is free for DNUG members and in case you are not a member there is a small fee.

Also the way to get enroll is different. The DNUG board to make it easier and tries different ways to organise the event.

I am looking forward to the event and I hope to see many of you next week!

The sessions are all in German but since my blog is English I am still writing this blog entry in English.

See the agenda below and there are more details in the event document.

-- Daniel


Zeit Thema Speaker
9:00 – 9:15 Uhr Begrüßung  
9:15 – 10:15 Uhr Client-Strategie: Welcher Client in welcher Umgebung Christian Henseler
10:30 – 11:15 Uhr Client-Strategie: IMSMO – Outlook 2013 als Frontend für Domino


Manfred Lenz (IBM)
11:30 – 12:30 Uhr   Client-Strategie: Calendaring – Koexistenzen, Interoperabilitäten und Troubleshooting   Anett Hammerschmidt (AHT Consulting)
Manfred Lenz (IBM)
12:30 – 13:30 Uhr Mittagspause  
13:30 – 14:15 Uhr Client-Server-Lizenzen: Endlich Durchblick bei IBM Lizenzen für IBM Notes Domino, Connections und Sametime Michael Deery
14:30 – 15:30 Uhr Server-Security: Domino Security – Best Practices Daniel Nashed (Nash!Com)
15:30 – 16:00 Uhr Kaffeepause  
16:00 – 17:00 Uhr Client-Server-Ausblick: IBM Verse und ein Ausblick auf die Dinge die bei IBM noch in der Pipeline sind Olaf Börner (BCC Unternehmensberatung GmbH)
17:00 – 17:15 Uhr Ende  


Die Veranstaltung ist für DNUG Mitglieder kostenlos. Für Nicht-Mitglieder wird ein Unkostenbeitrag von € 90,- netto erhoben.

    Traveler Fixes and DBMaint Command

    Daniel Nashed  7 October 2015 23:36:54

    A new Traveler Version has been released to day.

    There are a couple of important fixes and you should consider updating soon.
    Below you find a fix list.

    There is also a new Traveler command mainly for enterprise database management called DBMaint.

    Here is a link to the updated documentation section -->

    Because it is brand new I have to check how it works in detail and there is a planned Open Mic Session that will deal with this new functionality as well.

        Topic: What's New in IBM Traveler?
        Date: Wednesday, October 14, 2015
        Time: 11:00 AM EDT (15:00 UTC/GMT, UTC-4 hours) for 60 minutes

    See details here -->

    This update is important for stand-alone and HA configurations.
    My Traveler server is already updated...

    Usage: tell traveler DBMaint
    Where includes:
     Run                                  - Immediately performs online maintenance. If the server is standalone, then it will configure maintenance to run on restart.
     Show                                 - Displays various database maintenance scheduling information.
     Fragmentation                        - Recommends database maintenance based on fragmentation levels.
     Set Interval                  - Sets the interval of days in which automatic database maintenance will perform.
     Set Time                     - Sets the time in 24-hour format in which automatic database will perform.
     Set Day          - Sets the day of the week for the first scheduled automatic maintenance to start from.
                                             Set to off if you want the first scheduled maintenance to be based off of the last maintenance time.
      Set Threshold               - Configures automatic database maintenance to check fragmentation levels before it will execute.
      Set Auto                    - Enablement for automatic database maintenance.
                                             Re-enablement will reschedule maintenance if either the time or interval have changed.
      Set Indexes                 - Configures the number of fragmented indexes for the fragmentation threshold.
      Set Ownership                        - Configures ownership of database maintenance to this server. This server will be
                                             the only server that can perform automatic database maintenance.
      Set Percent <0-100>                  - (ONLY FOR SQL SERVER) Configures the fragmentation percentage of indexes for the fragmentation threshold.
      Set Functions <1-4>                  - (ONLY FOR DB2) Configures the number of functions that are used to determine if an index is fragmented for the fragmentation threshold.                          

    APAR # Abstract
    LO85584 Explicit commit is not needed for database select statements.
    LO86339 Warning may be displayed for redirect to SSL setting that is not in effect.
    LO86341 Add covering index to improve performance of update queries.
    LO86366 User may stop syncing after migration to HA environment AND change mail template.
    LO86445 Traveler syncs attachments in very small chunks causing mail delays and possible server crash.
    LO86448 Enable Calendar ghosting for ActiveSync devices when running on Domino 8.5.3 server.
    LO86466 Get Error 400 trying to read encrypted e-mail on Companion app for Apple devices.
    LO86496 Server crash on buffer over run error if log message is too long.
    LO86500 Shake to undo folder move in native Apple mail client may not be reflected on server.
    LO86516 PDF attachment not viewable if missing pdf extension.
    LO86521 Principal field is blank on draft e-mail created by IBM Verse mobile client.
    LO86530 Unnecessary error logging e-mails with attachments with no file name.
    LO86562 Individually delete all instances of repeating meeting in IBM Verse mobile client will not delete all entries from server copy.
    LO86610 Threaded e-mail move to folder not shown in new folder in IBM Verse client.

      Higher Crypt-Standards with Notes/Domino and updated JVM 1.6

      Daniel Nashed  2 October 2015 20:46:52
      There is a brand new new TN describing how to enable higher security for the updated JVM 1.6 in Notes/Domino.

      The IBM 1.6 JVM does support TLS 1.2 and also some modern ciphers.

      Sadly by default they cannot be used because they use higher encryption levels (AES 256) which are disabled by default in the IBM and even in the current Oracle JVM 1.8.

      The TN describes a download for something that is called "Java Cryptography Extension" which is nothing new and is around with descriptions for other products and JVM versions.

      But now that Notes/Domino has updated crypto standards in the JVM in some of the last updates and also Domino supports (EC)DHE with higher encryption levels looking into those higher encryption levels in the JVM makes sense.

      When you download the install files you basically get two jars that replace your JVM security files (in notes\jvm\lib\security).

      The two jar files local_policy.jar and US_export_policy.jar contain two files

      - default_local.policy
      - default_US_export.policy

      I have done some testing with the feed reader which started to use DHE_RSA_WITH_AES_256_CBC_SHA with 2048 bit key and TLS 1.2  which is already great.
      That provides PFS via DHE cipher and also AES 256 with a CBC cipher. Sadly it still uses SHA and no GCM cipher.

      With the new Mac 64bit client using the Oracle 8 JVM you still need the same type of patches.

      My tests using the feed-reader and embedded browser on the new Mac Notes 9.0.1 64bit resulted in a ECDHE_RSA_WITH_AES_128_GCM_SHA256 connection!
      So now the Mac is using higher encryption levels for Java then the current Notes/Domino 9.0.1 release with current JVM patches (1.6.0 SR16 FP7).

      I would wish that IBM would update the JVM in Windows and Linux as well in the 9.0.1 code stream!!

      To give you some additional background about the changed settings.
      You can see that the old files contained restrictions (probably because some countries still don't allow higher crypto).
      The replaced files remove all the restrictions.

      Have a great weekend!!!

      -- Daniel

      -- Old Content --

      // Some countries have import limits on crypto strength. This policy file is worldwide importable.

      grant {

         permission javax.crypto.CryptoPermission "DES", 64;

         permission javax.crypto.CryptoPermission "DESede", *;

         permission javax.crypto.CryptoPermission "RC2", 128,
                                          "javax.crypto.spec.RC2ParameterSpec", 128;

         permission javax.crypto.CryptoPermission "RC4", 128;

         permission javax.crypto.CryptoPermission "RC5", 128,
               "javax.crypto.spec.RC5ParameterSpec", *, 12, *;

         permission javax.crypto.CryptoPermission "RSA", 2048;

         permission javax.crypto.CryptoPermission *, 128;


      -- New Content --

      // Manufacturing policy file.

      grant {

         // There is no restriction to any algorithms.

         permission javax.crypto.CryptoAllPermission;

      OSX 10.11 El Capitan does not only support ECDHE Ciphers

      Daniel Nashed  1 October 2015 10:21:45

      After updating to OSX 10.11 I did a quick test.
      It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS.

      The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back.

      But you never know if this is going away in one of the next updates.

      Here is a trace from against a Domino 9.0.1 FP4 IF2 server.
      You can see all supported common ciphers and I highlighted the most important parts of the handshake.

      Happy updating!

      -- Daniel

      SSLProcessProtocolMessage> Record Content: Handshake (22)
      SSLProcessHandshakeMessage Enter> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 0 Cipher: Unknown Cipher (0x0000)
      SSLProcessHandshakeMessage client_hello> SGC FLAG: 0 CTX state = 3 SGCCount = 0
      SSLProcessClientHello> clientVersion: 0303
      SSLProcessClientHello> SSL/TLS protocol clientVersion 0x0303, serverVersion 0x0303
      SSLProcessClientHello> 26 ciphers requested by client
      SSLProcessClientHello> Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSLProcessClientHello> Best common cipherspec 0xC030 (so far)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)
      SSLProcessClientHello> Client requested RSA_WITH_AES_256_GCM_SHA384 (0x009D)
      SSLProcessClientHello> Best common non-EC cipherspec 0x009D (so far)
      SSLProcessClientHello> Client requested RSA_WITH_AES_128_GCM_SHA256 (0x009C)
      SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA256 (0x003D)
      SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA256 (0x003C)
      SSLProcessClientHello> Client requested RSA_WITH_AES_256_CBC_SHA (0x0035)
      SSLProcessClientHello> Client requested RSA_WITH_AES_128_CBC_SHA (0x002F)
      SSLProcessClientHello> Client requested RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
      SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
      SSLProcessClientHello> Client requested ECDHE_RSA_WITH_RC4_128_SHA (0xC011)
      SSLProcessClientHello> Client requested RSA_WITH_RC4_128_SHA (0x0005)
      SSLProcessClientHello> Client requested RSA_WITH_RC4_128_MD5 (0x0004)
      SSLProcessClientHello> Extensions found in this message
      SSLProcessClientHello> Received TLS Server Name Indication (SNI) extension
      SSLProcessClientHello> SNI - client requested server name ''
      SSLProcessClientHello> Received Elliptic Curves extension
      SSLProcessClientHello> Client supports NamedCurve secp256r1 (23)
      SSLProcessClientHello> Client supports NamedCurve secp384r1 (24)
      SSLProcessClientHello> Client supports NamedCurve secp521r1 (25)
      SSLProcessClientHello> Received EC Point Formats extension
      SSLProcessClientHello> Client supports uncompressed (0) points
      SSLProcessClientHello> Processing TLS signature algorithms extension
      SSLProcessClientHello> Client supports hash mask 0x0034; server cert chain has mask 0x0014
      SSLProcessClientHello> Extension type 0x3374, extension length 0x0000
      SSLProcessClientHello> Extension type 0x0010, extension length 0x0030
      SSLProcessClientHello> Processing TLS Status Request extension (OCSP)
      SSLProcessClientHello> Extension type 0x0012, extension length 0x0000
      SSLProcessClientHello> hash/alg in certchain  fSupHasAlg:0000
      SSLProcessClientHello> We selected cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSLProcessHandshakeMessage Exit> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSLAdvanceHandshake Enter> Processed: ClientHello (1) State: HandshakeServerIdle (3)
      SSLAdvanceHandshake client_hello> SGC FLAG: 0   Count = 2
      SSLAdvanceHandshake client_hello> Using resumed SSL/TLS Session
      SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerHello
      SSLEncodeServerHello> Sending empty renegotiation_info (0xff01) extension
      SSLEncodeServerHello> Sending empty status_request (0x0005) extension
      SSLEncodeServerHello> Sending supported point formats (0x000b) extension
      SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeChangeCipherSpec
      SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeFinishedMessage
      SSLCalculateTLS12FinishedMessage Enter> senderID: server finished, PRF using SHA384
      SSLAdvanceHandshake Exit> State HandshakeChangeCipherSpec (13)
      SSL_Handshake> After handshake state = HandshakeChangeCipherSpec (13); Status = -5000
      int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
      SSLProcessProtocolMessage> Record Content: Change cipher spec (20)
      SSL_Handshake> After handshake2 state HandshakeFinished (14)
      int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
      SSLProcessProtocolMessage> Record Content: Handshake (22)
      SSLProcessHandshakeMessage Enter> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSLCalculateTLS12FinishedMessage Enter> senderID: client finished, PRF using SHA384
      SSLProcessHandshakeMessage Exit> Message: Finished (20) State: HandshakeFinished (14) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSLAdvanceHandshake Enter> Processed: Finished (20) State: HandshakeFinished (14)
      SSLAdvanceHandshake Exit> State HandshakeServerIdle (3)
      SSL_Handshake> After handshake2 state HandshakeServerIdle (3)
      SSL_Handshake> Using resumed SSL/TLS session
      SSL_Handshake> Protocol Version TLS1.2 (0x303)
      SSL_Handshake> Cipher = ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
      SSL_Handshake> KeySize = 256 bits
      SSL_Handshake> Original Elliptic Curve = NIST P-256 (23)
      SSL_Handshake> Server RSA key size = 2048 bits
      SSL_Handshake> SSLErr = 0
      SSL_Handshake> TLS/SSL Handshake completed successfully
      int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]

        IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )

        Daniel Nashed  29 September 2015 14:03:34
        Wow the Mac 64bit Client has been released today!

        If you are looking for it, the description and the part number might help.
        Already downloaded from Partnerworld. I hope you also find it in Passport Downloads already.

        IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN ).

        And here is the technote ->

        Have fun!


        Domino 9.0.1 FP4 IF2 Security Update

        Daniel Nashed  26 September 2015 10:38:11

        After updating to the new IF which introduces ECDHE with some additional settings you can get to a "A+" SSL Labs rating.

        Image:Domino 9.0.1 FP4 IF2 Security Update

        When you install IF2 by default you get a good set of ciphers.

        In the previous sets oif fixes DHE was disabled by defaiult. Now you have DHE and also ECDHE enabled by default.
        There is not much in addition to that you have to do.

        Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)

        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits (p: 256, g: 1, Ys: 256)

        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits (p: 256, g: 1, Ys: 256)

        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits (p: 256, g: 1, Ys: 256)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)

        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)

        TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)         256

        TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)         128

        TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)         256

        TLS_RSA_WITH_AES_256_CBC_SHA (0x35)         256

        TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)         128

        TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)         128

        TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)         112

        The SSL Labs rating says that PFS is supported with current browsers: "Forward Secrecy - With modern browsers"

        -- Disable SSL V3 --

        First of all you have to disable SSL V3. By default it is still enabled.
        And I think it is time to completely disable it.


        The current fixes also support HSTS but by default the max age is a bit too low.
        So I set the following notes.ini settings:



        Which resulted in the following rating:

        "Strict Transport Security (HSTS)   Yes   max-age=17280000; includeSubDomains"

        -- OCSP --

        Also OCSP is supported in the current version.

        I have set the following notes.ini settings to enable it and to specify the responder URL for my certificate provider.
        And I also enabled debugging for testing and ensured that time differences of different clocks do not cause any issues.



        The result is:

        OCSP stapling  -> Yes

        -- Cipher Configation --

        The cipher configuration has changed a bit. For the new ciphers you need four digits.
        Using the SSLCipherSpec you can continue to configure the existing ciphers using the two digit code.
        But I would recommend that you start using 4 digits for all cipher types to keep the settings more consistent.

        Also there is a way to disable certain ECDHE Curves via notes.ini settings.

        And you can also gnerate your own DHE Groups.

        I don't want to repeat all the settings from the current documentation.
        The wiki entry has been updated. You find all the details here:

        Most of the settings are not really required. But those options can help when you have special requirements.

        -- Daniel

        Domino 9.0.1 FP4 IF2 shipped with ECDHE support

        Daniel Nashed  25 September 2015 16:35:19

        Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped.

        It contains some important fixes in the security area.
        First of all it corrects some bugs in the DHE and AES-GCM area.
        And also fixes in MIME conversion specially important for Traveler servers.

        But it also introduces ECDHE ciphers!

        Again the Domino security team did a great job implementing important new functionality in an Interims Fix.

        As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applications.
        But we expect that in one of the next version Apple might require ECDHE also for Safari and ActiveSync applications as posted before.

        When updating to IF2 you should remove the SSLCIPHERSPEC notes.ini setting from your server.
        This will enable a good set of ciphers including DHE and ECDHE ciphers.
        I am working on a more detailed blog post once I have fully tested the fix over the weekend.
        My test server was rated "A+" by SSL Labs with some additional settings and with a proper certificate.

        Again thanks to the Domino security team for their great work!!!

        -- Daniel

        -- List of the server side fixes in 9.0.1 FP4 IF2 --

                Fixed a potential Domino Server crash in JVM When Converting CD To Mime.        

                Memory leaks in two MIME routines that caused Traveler 901FP7 crash/hang when fetching MIME body parts that are attachments.        

                Defensive code to prevent Traveler crash/hang when fetching MIME body parts that are attachments.        

                Fixes an AES-GCM memory leak.        

                Introduce support for Elliptic Curve TLS_ECDHE for compatibility with Apps compiled for Apple iOS 9.0 / OS X 10.11. This adds Elliptic Curve support for HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3. (technote 1966059)        

                Fixed intermittent DHE failures in TLS1.2 connections.        

                Added a debug notes.ini DEBUG_IMAP_DEADLOCK_TRACE to troubleshoot long held lock leading to insufficient memory in IMAP. This ini is off by default.

          IBM Champion Nomination

          Daniel Nashed  17 September 2015 12:41:48
          The IBM Champion program is a great way to thank active members of the community.

          "The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplifying their voice and increasing their sphere of influence.
          An IBM Champion is an IT professional, business leader, developer, or educator who influences and mentors others to help them make best use of IBM software, solutions, and services."

          So if there is someone you think how deserves it, here is the nomination form -->

          For more details see -->


            iOS 9 Released and Traveler continues to work without ECDHE

            Daniel Nashed  16 September 2015 21:00:34
            Yesterday Apple released the final version of iOS 9.
            As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser.

            My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet.

            I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not test all type of Apple applications but at least Safari also continues to work).

            In my tests I have disabled TLS 1.2 and I have also disabled the DHE ciphers and iOS 9 was still able to connect over ActiveSync to my Traveler server.

            So it is still important that we are getting an update for Domino 9.0.1 FP4 that introduces ECDHE (which is expected until end of September) but we have been lucky that Apple is not enforcing the full ATS standard for Safari and ActiveSync yet.

            Below you see the list of ciphers my iOS 9 device requested. This looks like a pretty wide range of ciphers with a lot none ECDHE ciphers.

            Here is again a link to the IBM technote -->

            You should update all your iOS apps to the latest version. There have been fixes for the companion and the todo app for iOS 9 support.

            As of now the TN is not update to reflect my findings for the internal applications. And I would be interested to hear from your tests and results with iOS 9.

            I have not tested with RSA keys < 2048 or a none SHA-256 cert. Can anyone share their findings?
            You can either reply here or drop me an e-mail.

            -- Daniel

            ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

            ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

            ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024)

            ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023)

            ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A)

            ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009)

            ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008)

            ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

            ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)

            ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)

            ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)

            ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)

            ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)

            ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012)

            RSA_WITH_AES_256_GCM_SHA384 (0x009D)

            RSA_WITH_AES_128_GCM_SHA256 (0x009C)

            RSA_WITH_AES_256_CBC_SHA256 (0x003D)

            RSA_WITH_AES_128_CBC_SHA256 (0x003C)

            RSA_WITH_AES_256_CBC_SHA (0x0035)

            RSA_WITH_AES_128_CBC_SHA (0x002F)

            RSA_WITH_3DES_EDE_CBC_SHA (0x000A)

            ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)

            ECDHE_RSA_WITH_RC4_128_SHA (0xC011)

            RSA_WITH_RC4_128_SHA (0x0005)

            RSA_WITH_RC4_128_MD5 (0x0004)