New-Domino-POOLE-Iussue-now-with-TLS
Daniel Nashed – 10 December 2014 00:16:10
There is a new exploit that affects TLS! Not all implementations of TLS are affected. But Domino and also some other solutions like the F5 load-balancer are on the list.
For more details read --> https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
The problem effects all CBC ciphers. IBM is working on a solution.
Meanwhile you can disable the CBC ciphers. Currently there are only two ciphers left.
Not really completely what we want but it sounds like IBM is working on supporting more ciphers and later TLS versions (some ciphers only work with TLS 1.2).
But the first priority is to fix the currently supported ciphers.
As a work around for now change the cipher list in the Server doc / Internet Site doc. But this would not be uses for all protocols.
The better way would be to specify the cipher list via notes.ini and have it set for all internet protocols.
There is a notes.ini setting that can be used to specify the ciphers quite low-level with a single hex-byte list.
SSLCipherSpec=0405
Here is the corresponding list for the ciphers. We currently only want the RC4 ciphers -- even they are not the latest ciphers. But they are not affected by the new POODLE issue.
04 - SSL_RSA_WITH_RC4_128_MD5
05 - SSL_RSA_WITH_RC4_128_SHA
By the way: Also the currently unsupported notes.ini parameter that completely disables SSL 3.0 has leaked in a open mic session.
IBM is planning to change it to a more proper name and will document it.
Surprisingly the parameter cannot be found on Google yet... It is going to change soon, so I will not post it in a blog.
- Comments [7]