Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

TLS and SHA-2 Support and the POODLE Attack

Daniel Nashed  21 October 2014 19:20:27

IBM has officially responded to the POODLE attack and also officially responded to newer crypto standards.

Very good news for Domino! IBM will introduce TLS 1.0 and SHA-2 support for all protocols soon!

The current technotes mention a very short timeframe and it looks like we are going to get fixes at least for the current Domino 9.0.1 code stream.

Some fixes will be also in the 8.5.x code-stream but some of the improvements like SHA-2 support cannot be back ported.


So you should be prepared with all your internet facing servers to deploy 9.0.1 with current fixpack 2!


IBM will introduce support for the current standards soon which will also address the POODLE attack.

IMHO the risk right now is not very high and and most of the HTTPS internet facing servers for larger companies already use Secure Reverse Proxies.
And you might need to have a closer look into what crypto levels those server currently support! You should disable SSL 3.0 on all servers as far as it is currently possible. This is not just true for Domino.


IBM is working on improving the crypto "stack" (part of the lower network layer -- "NTI" which is the base for all Internet protocols and this includes in consequence also the keyring file used to store your internet certificates) in Domino in a short timeframe.


Enclosed you find links for the two new technotes which provide details about what IBM is working on...


We have been asking for years specially for TLS 1.0 and higher support for SMTP. Now it looks like we are getting it also for all other internet protocols!


That's really great news!!


-- Daniel



How is IBM Domino impacted by the POODLE attack?


http://www.ibm.com/support/docview.wss?uid=swg21687167


Planned SHA-2 deliveries for IBM Domino 9.x


http://www.ibm.com/support/docview.wss?uid=swg21418982

Comments

1Daniel Nashed  23.10.2014 12:55:22  TLS and SHA-2 Support and the POODLE Attack

there is also another blog entry from Kramer Reeves mentioning the technotes and also gives a management statement.

https://www.socialbizug.org/blogs/Kramer/entry/ibm_to_resolve_poodle_attack_threat_for_domino_plus_plans_for_domino_sha_2_and_tls_1_0_support

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]