Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

New-Domino-POOLE-Iussue-now-with-TLS

Daniel Nashed  10 December 2014 01:16:10
There is a new exploit that affects TLS! Not all implementations of TLS are affected.
But Domino and also some other solutions like the F5 load-balancer are on the list.


For more details read -->
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

The problem effects all CBC ciphers. IBM is working on a solution.
Meanwhile you  can disable the CBC ciphers. Currently there are only two ciphers left.
Not really completely what we want but it sounds like IBM is working on supporting more ciphers and later TLS versions (some ciphers only work with TLS 1.2).

But the first priority is to fix the currently supported ciphers.

As a work around for now change the cipher list in the Server doc / Internet Site doc. But this would not be uses for all protocols.

The better way would be to specify the cipher list via notes.ini and have it set for all internet protocols.


There is a notes.ini setting that can be used to specify the ciphers quite low-level with a single hex-byte list.


SSLCipherSpec=0405


Here is the corresponding list for the ciphers. We currently only want the RC4 ciphers -- even they are not the latest ciphers. But they are not affected by the new POODLE issue.


04 - SSL_RSA_WITH_RC4_128_MD5

05 - SSL_RSA_WITH_RC4_128_SHA


By the way: Also the currently unsupported notes.ini parameter that completely disables SSL 3.0 has leaked in a open mic session.

IBM is planning to change it to a more proper name and will document it.

Surprisingly the parameter cannot be found on Google yet... It is going to change soon, so I will not post it in a blog.

Comments

1Andy Brunner  10.12.2014 8:50:39  New-Domino-POOLE-Iussue-now-with-TLS

Thanks a lot, Daniel!

2Thomas Stoeger  12.12.2014 13:08:27  New-Domino-POOLE-Iussue-now-with-TLS

How can i specify the ciphers on the IHS ?

3Tobi  15.12.2014 12:15:26  New-Domino-POOLE-Iussue-now-with-TLS

Hi Daniel,

I found this notes.ini setting on Darren Dukes Blog ({ Link })

DEBUG_UNSUPPORTED_DISABLE_SSLV3=17

(but apperently it isn't officially supported by IBM yet). Its soposed to completely disable SSLv3 on Domino:

4Daniel Nashed  15.12.2014 16:44:42  New-Domino-POOLE-Iussue-now-with-TLS

@Tobi, yes that's the current parameter and it works but I is completely unsupported.

Domino 9.0.1 FP2 IF3 is about to be released and will have a new parameter.

I will blog about it as soon it is released.

-- Daniel

5Tobi  16.12.2014 14:37:03  New-Domino-POOLE-Iussue-now-with-TLS

@Daniel: Great - thanks we will be patient :)

6Dietmar Dumke  18.12.2014 16:09:46  Disabling all but RC4 breaks WinPhone/8

Disabling all but RC4 ciphers seems to break Winphone/8 connections to Traveler because these devices seem to not support RC4. In opposition to iOS devices (which still support RC4). It seems the best compromise for now is to leave CBC ciphers enabled but to disable SSLv3 with that unsupported notes.ini parameter, until IF3 has been released.

7Daniel Nashed  19.12.2014 7:11:24  Disabling all but RC4 breaks WinPhone/8

@Dietmar, disabling SSL3 does not help in that case. The CBC ciphers are vulnerable on TLS 1.0 as well. That's the problem with the new POODLE issue.

The fix is going to be released soon. And that is the only real solution. RC4 is not really a good solution at all but if you are concerned about the POODLE fix there is no other way than disabling the other ciphers until the fix is released.

-- Daniel


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]