Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Domino 9.0.1 FP4 IF2 shipped with ECDHE support

Daniel Nashed  25 September 2015 14:35:19

Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped.

It contains some important fixes in the security area.
First of all it corrects some bugs in the DHE and AES-GCM area.
And also fixes in MIME conversion specially important for Traveler servers.

But it also introduces ECDHE ciphers!

Again the Domino security team did a great job implementing important new functionality in an Interims Fix.

As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applications.
But we expect that in one of the next version Apple might require ECDHE also for Safari and ActiveSync applications as posted before.

When updating to IF2 you should remove the SSLCIPHERSPEC notes.ini setting from your server.
This will enable a good set of ciphers including DHE and ECDHE ciphers.
I am working on a more detailed blog post once I have fully tested the fix over the weekend.
My test server was rated "A+" by SSL Labs with some additional settings and with a proper certificate.

Again thanks to the Domino security team for their great work!!!

-- Daniel

-- List of the server side fixes in 9.0.1 FP4 IF2 --

        Fixed a potential Domino Server crash in JVM When Converting CD To Mime.        

        Memory leaks in two MIME routines that caused Traveler 901FP7 crash/hang when fetching MIME body parts that are attachments.        

        Defensive code to prevent Traveler crash/hang when fetching MIME body parts that are attachments.        

        Fixes an AES-GCM memory leak.        

        Introduce support for Elliptic Curve TLS_ECDHE for compatibility with Apps compiled for Apple iOS 9.0 / OS X 10.11. This adds Elliptic Curve support for HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3. (technote 1966059)        

        Fixed intermittent DHE failures in TLS1.2 connections.        

        Added a debug notes.ini DEBUG_IMAP_DEADLOCK_TRACE to troubleshoot long held lock leading to insufficient memory in IMAP. This ini is off by default.

No Comments Found



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]