Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino 9.0.1 FP3 IF3 is about to ship

Daniel Nashed  29 March 2015 12:33:52

Updated post:

IF2/IF3 already shipped. There is also a Wiki articile describing the changes.

The Fixlist for IF2/IF3 is confusing but it looks like the Wiki article explains it.


-->
http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2

The fixes have the release date of 27.3. the client fixes are labled "IF3", the server fixes are labled "IF2".


Here is what the fixlist says and see my comments in-line.
You should also read the Wiki entry which will hopefully also have the settings for the PFS ciphers soon.


Update: Also check for additional information in the new Wiki article --> http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration


I have installed 9.0.1 FP2 IF2 on my production Linux Server.

And I can confirm that TLS 1.2 is implemented in this version and it looks like just the fixlist is confusing.

The fixes listed in the fixlist section "IF3" are included in server fixes labled "IF2". The right client release is "IF3" in contrast.


Without any additional settings this brings you to TLS 1.2 support with the following ciphers which brings Domino to a "A-" rating.


TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA    (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

TLS_RSA_WITH_AES_128_CBC_SHA    (0x2f)
TLS_RSA_WITH_3DES_EDE_CBC_SHA   (0xa)


The "A-" is because of missing PFS support for reference browsers.


As mentioned in the wiki article and also in the fixlist IBM also implemented some PFS ciphers.

"Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE)"


But those ciphers are disabled by default because they have higher overhead on the server and client side.
I will have a separate post for the PFS cipher support as soon official information is available.


Here is the commented SPR list

9.0.1 Fix Pack 3 Interim Fix 2 SPR #PSIH9SSAHC
/  
http://www.ibm.com/support/docview.wss?uid=swg21698994

-- PNG Vulnerability --


libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data.
A remote attacker could exploit this vulnerability using a "very wide interlaced" PNG image to overflow a buffer and execute arbitrary code on the system or cause a denial of service.

You should wait for IF3 planned to be released very soon. The SPR list for the fix is already public and the IF will contain a couple of important fixes and new TLS 1.2 support including new ciphers.


Enclosed you find the current list. The information about how to enable those new ciphers are not yet released. I post information about those new settings and will comment on them as soon they are released.


IF3 will contain a couple of pending fixes for other issues. For example the fix for the Google Calendar Feed in the Standard Notes Client which broke because of the change on the Goodle side.



Here is a commented fix list for IF2/IF3:



-- 9.0.1 Fix Pack 3 Interim Fix 3 --


KLYH9UBNGW

Add pinning to SHA-256 for TLS 1.2        

KLYH9URNJH

TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available        

KLYH9URNFY

TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client        

--> There have been issues specially with TLS SMTP Connections. Those two fixes help to connect even in those cases.



KLYH9UQJQN

Remove RC4-SHA from the default cipher list for TLS 1.2        

--> RC4-MD5 have already been removed before. Now also the SHA based version is rated as weak on the Domino side and disabled by default


RKUR9PEDEB

Implement HSTS (Http Strict Transport Security).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS)        

--> On a server that only allows authenticated connections I would only enable the SSL port and disable port 80 in general.
We have to wait for the full documentation to see in which condition the header is automatically set.
It should be automatically send when only HTTPS is enabled.


RGET9TSMKD

Add IP Information to HTTP Thread logs for SSL Handshake connections        

MKIN9QHT5W

Passing a directory to kyrtool will crash the tool        

DKEN9RVQGD

kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part        

--> there have been a couple cases where certificates could not be parsed correctly. This fix should solve those issues.


DKEN9SSUR6

Add more detailed logging for SSL/TLS connections to help diagnose failed connections        

--> More detailed information is important for figuring out what is going wrong in some cases.

KLYH9UFNWH

New notes.ini SSL_DISABLE_TLS_10 to support Disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP        

--> For now I would disable SSLv3 only and keep TLS 1.0 enabled unless you are working in an controlled environment like an intranet and you know exactly that all clients support TLS 1.2.


KLYH9QKTGH

Added SHA-256 cipher specs for increased security with TLS 1.2        

KLYH9QKTED

Added Advanced Encrption Standard (AES) Galois/Counter Mode for increased security with TLS 1.2        

--> New AES GCM ciphers. I will post details how to enable them as soon the exact implemented ciphers have been documented.

There will be documentation which ciphers are enabled by default and how to enable other ciphers.


KLYH9QKTBL

Added Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS        

--> New DHE ciphers which introduce PFS -- Perfect Forward Secrecy. I will post details how to enable them as soon the exact implemented ciphers have been documented.

There will be documentation which ciphers are enabled by default and how to enable other ciphers.


PFS is an important addition to allow more secure connections. This ensures that traffic cannot be recorded and decrypted later when the private key of one side gets compromised.



KLYH9QKT4B

Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP        

--> Support for TLS 1.2!!! That was announced at ConnectED to be available in Q1. Thanks to IBM and the team working on it.


HCHC9GG66F

Administrator Client Shows Wrong File Sizes of database with DAOS size>0 After Server Restart        

IFAY9QZGKG

Getting Error When Using Google calendar Feeds         - Standard Client Only


--> Important client side fix for Google Calender integration which broke because of changes on the Google side


TTAN8YRHD9

[WINDOWS ONLY] - Additional Time Zone For Salvador & Buenos Aires Shows Incorrect Time - Standard Client Only

Comments

1Detlev Pöttgen  29.03.2015 13:20:47  Domino 9.0.1 FP3 IF3 is about to ship

Daniel,

Domino 9.01. FP3 IF3 already released yesterday. So you should update your post.

{ Link }

cu in Ghent

Detlev

2Daniel Nashed  29.03.2015 14:11:51  Domino 9.0.1 FP3 IF3 is about to ship

@Detlev, really odd... I am still checking and sent you an email offline.

There is a Wiki entry { Link }

The server fixes are marked as IF2 but the client fixes are marked as IF3.

And the fixlist for the IF says that it is fixed in IF3.

Sounds like they have different IFs for clients and servers.

Checking right now and will update the post .

3Oliver Regelmann  29.03.2015 20:45:24  Domino 9.0.1 FP3 IF3 is about to ship

IF2 for the basic client already exists since two weeks, so this might explain the difference in versions.

4Vitor Pereira  29.03.2015 21:04:30  Domino 9.0.1 FP3 IF3 is about to ship

It is odd indeed. Just downloaded, it seems to be HF241 but it won't install on top of HF42. Here's what I'm getting:

"REVERT: Current version Release 9.0.1FP3 HF42|February 03, 2015 is not equal to new version: Release 9.0.1FP3 HF241|March 20, 2015"

5Lars Berntrop-Bos  29.03.2015 22:05:46  Domino 9.0.1 FP3 IF3 is about to ship

@Vitor i've seen that previously, so I always keep the old IF levels available to be able to revert. Also, sometimes an IF contains a regression I realy cannot live with.

In short: I try to keep current, but keep the intermediary IF fixes in case of troubles.

6Vitor Pereira  29.03.2015 23:52:10  Domino 9.0.1 FP3 IF3 is about to ship

Sorry Lars, I don't think I understand. So you're saying I should uninstall HF42 before I install HF241, is that it?

7Daniel Nashed  30.03.2015 1:38:26  Domino 9.0.1 FP3 IF3 is about to ship

That explains why they named it IF3 on the client but I would have than also name the server IF3 -- even there is no IF2 on the server side.

Specially on Linux you always have to uninstall a IF first. A FP can be reverted but a IF is basically a hotfix which neededs to be removed first on Linux.

8Kai-Uwe Rommel  30.03.2015 11:01:07  Domino 9.0.1 FP3 IF3 is about to ship

The DHE ciphers can be enabled with SSLCipherSpec in notes.ini, the page { Link } has been updated by Dave Kern with the new numbers already. He promised a more detailed wiki page for next week.

9Daniel Nashed  30.03.2015 12:06:18  Domino 9.0.1 FP3 IF3 is about to ship

Thanks Kai-Uwe, I will write up a new blog post later today with details about it ..

I had some details about it already in my presentation for engage UG

10Milan Matejic  09.04.2015 15:13:29  Domino 9.0.1 FP3 IF3 is about to ship

Hello Daniel,

does the SSL Certificate has to fulfill certain requirements before implementing TLS 1.2 on a Domino Server? Like "signature Hash Algorithm: SHA256".

Best regards,

Milan

11Daniel Nashed  09.04.2015 15:23:56  Domino 9.0.1 FP3 IF3 is about to ship

No the cert does not need to be SHA-256 before you can update and use TLS 1.2.

but it would make sense to update your cert as soon as possible because browsers are already starting to warn about SHA certificates.

-- Daniel

12Milan Matejic  10.04.2015 8:59:51  Domino 9.0.1 FP3 IF3 is about to ship

OK,

Thanks :)

Best regards,

Milan


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]