1Fredrik Norling  12.10.2020 12:54:09  Easy kyr file creation with Early Access V12 in production

So we are going back to the old ways almost of doing this before the kyr files.

The good thing with the openssl and kyr file way was that it was easier to automate with batch files. ;-)

2Daniel Nashed  13.10.2020 17:58:30  Easy kyr file creation with Early Access V12 in production

@Fredrik,

Not really back to what it was before. The new servertask and database will be completely different!

- It will internally use PEM format all over the place

- Form how it looks like you will have different ways to interface it

- the certstore.nsf is a Domain wide database that deploys certficates for all servers

- The documents are planned to be encrypted for safe storage on rest and there will be fine control who can access them

- Let's Encrypt is fully supported and the resulting keys and certs are in the certstore.nsf

- There are manual operations to interface create key-pairs, CSRs, import certs etc

- There are discussions to support other formats for export/import for example .p12

- There might be interface options to integrate with other CAs

If you are interested in this topic, you should join us in the Early Access Program and Forum to provide early feedback.

The HCL development team is looking for early access feedback!

So if you are not joining, you can't complain later ;-)

-- Daniel

3Samuel Flint  14.10.2020 14:59:35  Easy kyr file creation with Early Access V12 in production

Domino's HTTP stack has been behind the times for quite a while, so far as HTTPS goes.

To get proper SSL support, we ended up running Domino in HTTP-only mode, behind an Nginx reverse proxy.

The alternate HTTP port is not exposed to the outside world.

We use WACS to automatically renew letsencrypt certificates.

This setup performs beautifully.

As you can see from ssllabs, we have an A+ rating on our production servers. https://www.ssllabs.com/ssltest/analyze.html?d=www.customer2you.com&latest

4Daniel Nashed  14.10.2020 22:55:44  Easy kyr file creation with Early Access V12 in production

@Samuel,

Thanks for your comments!

What do you miss for Domino HTTPS in the current releases?

In Domino 9.0.1 shortly before Poodle came up, IBM started to introduce new features step by step.

They wanted to do it on one step, but because of Poodle they needed to get something out sooner.

So they started with TLS 1.0 with some ciphers and step by step in FPs and IFs added TLS functionality and ciphers.

All the ciphers and configuration was notes.ini only and they changed that with the next major version Domino 10

Since than we had a pretty good set of ciphers. But yes it's TLS 1.2 only

Hopefully we will get TLS 1.3 for Domino V12.

There is finally SNI support since Domino 11.0.1 -- which made me very happy.

But with the ciphers we have and the current changes with Domino V12 we are on a good level.

There is ECC / ECDSA support in the current code drops for V12.

What else are you missing for HTTPS security?

-- Daniel