Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino 9.0.1 FP4 IF2 Security Update

Daniel Nashed  26 September 2015 10:38:11

After updating to the new IF which introduces ECDHE with some additional settings you can get to a "A+" SSL Labs rating.



Image:Domino 9.0.1 FP4 IF2 Security Update


When you install IF2 by default you get a good set of ciphers.

In the previous sets oif fixes DHE was disabled by defaiult. Now you have DHE and also ECDHE enabled by default.
There is not much in addition to that you have to do.

Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end)


TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits (p: 256, g: 1, Ys: 256)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits (p: 256, g: 1, Ys: 256)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits (p: 256, g: 1, Ys: 256)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits (p: 256, g: 1, Ys: 256)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits (p: 256, g: 1, Ys: 256)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)


TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)         256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)         128


TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)         256

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)         256

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)         128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)         128


TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)         112

The SSL Labs rating says that PFS is supported with current browsers: "Forward Secrecy - With modern browsers"


-- Disable SSL V3 --

First of all you have to disable SSL V3. By default it is still enabled.
And I think it is time to completely disable it.


DISABLE_SSLV3=1

The current fixes also support HSTS but by default the max age is a bit too low.
So I set the following notes.ini settings:

HTTP_HSTS_MAX_AGE=17280000

HTTP_HSTS_INCLUDE_SUBDOMAINS=1

Which resulted in the following rating:

"Strict Transport Security (HSTS)   Yes   max-age=17280000; includeSubDomains"



-- OCSP --

Also OCSP is supported in the current version.

I have set the following notes.ini settings to enable it and to specify the responder URL for my certificate provider.
And I also enabled debugging for testing and ensured that time differences of different clocks do not cause any issues.

SSL_ENABLE_OCSP_STAPLING=1

OCSP_RESPONDER=http://evssl-ocsp.globalsign.com/responder
OCSP_CLOCKSKEW=10
OCSP_LOGLEVEL=31

The result is:

OCSP stapling  -> Yes



-- Cipher Configation --

The cipher configuration has changed a bit. For the new ciphers you need four digits.
Using the SSLCipherSpec you can continue to configure the existing ciphers using the two digit code.
But I would recommend that you start using 4 digits for all cipher types to keep the settings more consistent.

Also there is a way to disable certain ECDHE Curves via notes.ini settings.

And you can also gnerate your own DHE Groups.

I don't want to repeat all the settings from the current documentation.
The wiki entry has been updated. You find all the details here:


http://www.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

Most of the settings are not really required. But those options can help when you have special requirements.

-- Daniel



Comments

1Matteo Bisi  27.09.2015 23:37:22  Domino 9.0.1 FP4 IF2 Security Update

thanks Daniel, awesome post !

2Andreas Imnitzer   28.09.2015 23:08:11  Domino 9.0.1 FP4 IF2 Security Update

Danke, Daniel!

3Wolfgang Fey  29.09.2015 8:42:37  Domino 9.0.1 FP4 IF2 Security Update

Sehr gute Erklärung. Danke !

4Jason  29.09.2015 19:57:42  Domino 9.0.1 FP4 IF2 Security Update

Any idea why this happen when testing on SSLLab?

Additional Certificates (if supplied)

Certificates provided 1 (2280 bytes)

Chain issues Incomplete

server.csr: openSSL-win64 generated

step by step from this:

{ Link }

Thanks

5Daniel Nashed  30.09.2015 8:04:49  Domino 9.0.1 FP4 IF2 Security Update

maybe you have not imported the intermediate certificates.

hard to tell without knowing details.

6Nahuel Andreano  30.09.2015 16:42:12  Domino 9.0.1 FP4 IF2 Security Update

Excellent post! Very useful.

I have a question: why HSTS parameters does no effect on my installation? It's Traveler's site.

7Martin Ziegler  02.10.2015 9:44:11  Domino 9.0.1 FP4 IF2 Security Update

Thanks for the post!

Same for me, I have tried to configure HSTS as described on a traveler server without success.

SSLLabs says: Strict Transport Security (HSTS) Disabled max-age=0

8Martyn  27.10.2015 12:22:15  Domino 9.0.1 FP4 IF2 Security Update

HSTS is only enabled when you use an Internet Site document. HSTS will not work with just a server document.

Add a website document ( in PAB -> Configuration -> Web -> Internet Sites ) using the IP/URL of your website.

9Daniel Nashed  02.11.2015 14:07:30  Domino 9.0.1 FP4 IF2 Security Update

@Martyn, yes this is a known issue --> SPR# BBSZA2UJPA

10Patrick Tippner  12.11.2015 15:55:01  Domino 9.0.1 FP4 IF2 Security Update

I Thank you for the valuable information you provided! I'm just wondering, why i can't seem to get neither OCSP-stapling nor HSTS working despite doing the changes in notes.ini and restarting the server. Might this happen because we're using multiple Internet Site documents with different Keyring-Files on our Domino Webserver? I found some comments on Darren Duke's site that seem to indicate this:

"2 - Shaun 10/01/2015 12:33:50 PM

Darren, do you know if there is any way to configure this for multiple internet sites that are using different keyrings with different SSL issuers?

Gravatar Image

3 - Darren Duke 10/02/2015 4:26:24 AM

@2, as far as I know there is not a way to do this in Domino. You could open a PMR and request it as a feature. In fact I had the same issue and fixed it by adding an NGINX proxy in front which can do this.

"


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]