Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino TLS POODLE Fix released

Daniel Nashed – 21 December 2014 23:30:09
As reported before the IF that introduced TLS 1.0 is vulnerable to the new PODDLE issue.
IBM released a new IF for all supported versions that fixes this issue.
After installing the IF you can re-enable the CBC ciphers which are now reported as not vulnerable by the SSL Labs Test site.

In addition to this fix IBM officially introduces a new notes.ini variable to disable SSL V3.

DISABLE_SSLV3=1 will disable SSL V3 completely. But as mentioned before you should be completely sure if you want to completely disable SSL V3.

SPR #KLYH9QXMQE: Disable SSL ini:
SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability

There is a reference technote and a list of IFs for all supported releases.

Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730)
http://www.ibm.com/support/docview.wss?uid=swg21693142


Fixes for this issue are currently available

    9.0.1 Fix Pack 2 Interim Fix 3
    9.0 Interim Fix 7
    8.5.3 Fix Pack 6 Interim Fix 6
    8.5.2 Fix Pack 4 Interim Fix 3
    8.5.1 Fix Pack 5 Interim Fix 3

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]