Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino 9.0.1 FP5 Security Fixes and Functionality

Daniel Nashed  4 December 2015 16:14:52
This week Domino 9.0.1 FP5 has been released.
The client fixpack seems to have issues. I have seen a Support Flash alert and a couple of customers/partners contacted me with problems.

On the client side I would wait until those problems have been resolved.

But on the server side you should look into implementing FP5 soon.

I have deployed it on my production server and I have now also incoming and outgoing "STARTTLS" enabled with additional logging via my SpamGeek application.

In addition to a couple of security fixes the new version also has some detail fixes in the TLS area which will help to get better logging and compatibility with other environments which is specially important for STARTTLS.

I am currently still having SSLV2 HELLO enabled on my server and I keep monitoring the logs.

And I have noticed some strange behaviour which I already have reported to IBM.
With 9.0.1 FP4 IF2 IBM changed the default cipher list and you did not need to set SSLCipherSpec in most cases because they did a great job enabling only all secure ciphers by default and putting the other ciphers on the weak list.

In addition to security fixes there is also an new JVM patch included in FP5.

The current JVM is 1.6 SR16 FP15 and there is a separate technote available with details what is fixed.

Some of the fixes in Domino and also in the JVM provide better protection against "Logjam security vulnerability".

There are also a couple of fixes to address memory leaks -- some are in the security area.

So I would recommend considering the update soon at least on server side for external servers.

It works well for me and there is additional logging that can be helpful.

Update 10.12.2015: We still see some outgoing TLS connection problems for STARTTLS. I first thought this could be fixed by setting the SSLCipherSpec explicitly.
But it did turn out that it does not fix it. Still troubleshooting what is going wrong. One customer has a PMR open and I am also tracing...

  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]