Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Domino TLS POODLE Fix released

Daniel Nashed – 21 December 2014 23:30:09
As reported before the IF that introduced TLS 1.0 is vulnerable to the new PODDLE issue.
IBM released a new IF for all supported versions that fixes this issue.
After installing the IF you can re-enable the CBC ciphers which are now reported as not vulnerable by the SSL Labs Test site.

In addition to this fix IBM officially introduces a new notes.ini variable to disable SSL V3.

DISABLE_SSLV3=1 will disable SSL V3 completely. But as mentioned before you should be completely sure if you want to completely disable SSL V3.

SPR #KLYH9QXMQE: Disable SSL ini:
SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability

There is a reference technote and a list of IFs for all supported releases.

Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730)
http://www.ibm.com/support/docview.wss?uid=swg21693142


Fixes for this issue are currently available

    9.0.1 Fix Pack 2 Interim Fix 3
    9.0 Interim Fix 7
    8.5.3 Fix Pack 6 Interim Fix 6
    8.5.2 Fix Pack 4 Interim Fix 3
    8.5.1 Fix Pack 5 Interim Fix 3

Comments

1Andy Brunner  21.12.2014 12:05:10  Domino TLS POODLE Fix released

Thanks Daniel for this update and for the reference to the Domino notes.ini parameter. The "Disable_SSLV3=1" is not in the technote.

Andy

2Uwe Brahm  25.12.2014 15:21:03  Domino TLS POODLE Fix released

It's essential for those that have IHS in front of their Domino servers to read this technote:

{ Link }

Regards,

Uwe

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]