Domino 9.0.1 FP4 IF2 shipped with ECDHE support
Daniel Nashed – 25 September 2015 14:35:19
Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped.
It contains some important fixes in the security area.
First of all it corrects some bugs in the DHE and AES-GCM area.
And also fixes in MIME conversion specially important for Traveler servers.
But it also introduces ECDHE ciphers!
Again the Domino security team did a great job implementing important new functionality in an Interims Fix.
As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applications.
But we expect that in one of the next version Apple might require ECDHE also for Safari and ActiveSync applications as posted before.
When updating to IF2 you should remove the SSLCIPHERSPEC notes.ini setting from your server.
This will enable a good set of ciphers including DHE and ECDHE ciphers.
I am working on a more detailed blog post once I have fully tested the fix over the weekend.
My test server was rated "A+" by SSL Labs with some additional settings and with a proper certificate.
Again thanks to the Domino security team for their great work!!!
-- Daniel
-- List of the server side fixes in 9.0.1 FP4 IF2 --
ACHG9XJB6Y
Fixed a potential Domino Server crash in JVM When Converting CD To Mime.
ECYS9XXDMF
Memory leaks in two MIME routines that caused Traveler 901FP7 crash/hang when fetching MIME body parts that are attachments.
PLYSA2EQ5T
Defensive code to prevent Traveler crash/hang when fetching MIME body parts that are attachments.
KLYHA2DKT7
Fixes an AES-GCM memory leak.
KLYH9YNR8F
Introduce support for Elliptic Curve TLS_ECDHE for compatibility with Apps compiled for Apple iOS 9.0 / OS X 10.11. This adds Elliptic Curve support for HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3. (technote 1966059)
RPINA2FNSM
Fixed intermittent DHE failures in TLS1.2 connections.
TDOOA2GP8G_DEBUG
Added a debug notes.ini DEBUG_IMAP_DEADLOCK_TRACE to troubleshoot long held lock leading to insufficient memory in IMAP. This ini is off by default.
- Comments [0]