IBM just released new Interim Fixes for Domino and Notes. Check this out ! You can find the download links here.
Mainly this "fix" activates all industrial standard encryption methods like PFS, HSTS and TLS1.2 for Domino and also for the Notes Client.
In my opionion "IF" is just too small for the content this fix contains. IBM just introduced TLS with a delay of more than 5 years and now they also got 1.2 running. I hope IBM continues to implement new encryption methods for Domino (as soon as they are released).
Before this fix was released you needed to install Domino with IHS(or use a additional Proxy) and configure the IHS to use TLS, PFS etc.
I didn't check the supported cipher methods yet but I think we can uninstall our IHS and start using Domino HTTP again - if you don't need to use TLS1.1. This is still unsupported.
Regards,
Jan
Dienstag, 31. März 2015
Freitag, 20. März 2015
IBM Domino and TLS - Part 1 - How To fix your trust & security issues
Recently a customer asked me how he could raise the site raiting for his iNotes / webmail server .
The rating for his server using a SSL check from from Qualys was T:
iNotes was not accessible eventhough the Domino server itself had no problems at all.
This problem appeared after several modern browsers updated their security policys. I will try to explain what is causing these problems and how you are able to solve them:
"This server's certificate is not trusted, see below for details."
This often indicates that you are using self-signed certificates or certificates that were created/signed from an untrusted CA. I would advise you to buy a SSL certificate from a common seller. You can get them for less than 20$ a year. ROI after the first user of your company doesn't ask you details about this message.
"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate."
IBM provided fixpacks for the POODLE exploits and also implemented TLSv 1.0. ( index for fixpacks )
Yes, only v1.0, eventhough v1.2 exists since > 6 years and has already know vulnerabilities.
And you will have to set the .ini-Parameter "DISABLE_SSLV3=1" .
I will discuss the other problems in my next posts.
I would be happy if you could leave some comments on my first part. Or only share this blog with others ;-)
As security seems be something that was left behind the last years in many companys I am trying to revive this topic by writing about things that I get a contact with as a junior consultant at a IBM Premier Business Partner company.
The rating for his server using a SSL check from from Qualys was T:
iNotes was not accessible eventhough the Domino server itself had no problems at all.
This problem appeared after several modern browsers updated their security policys. I will try to explain what is causing these problems and how you are able to solve them:
"This server's certificate is not trusted, see below for details."
This often indicates that you are using self-signed certificates or certificates that were created/signed from an untrusted CA. I would advise you to buy a SSL certificate from a common seller. You can get them for less than 20$ a year. ROI after the first user of your company doesn't ask you details about this message.
"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate."
IBM provided fixpacks for the POODLE exploits and also implemented TLSv 1.0. ( index for fixpacks )
Yes, only v1.0, eventhough v1.2 exists since > 6 years and has already know vulnerabilities.
And you will have to set the .ini-Parameter "DISABLE_SSLV3=1" .
I will discuss the other problems in my next posts.
I would be happy if you could leave some comments on my first part. Or only share this blog with others ;-)
As security seems be something that was left behind the last years in many companys I am trying to revive this topic by writing about things that I get a contact with as a junior consultant at a IBM Premier Business Partner company.
How to run IBM Notes Traveler with two hostnames and multiple SSL certificates
Hello,
recently my company decided to update the certificates to SHA-2-signed-certificates.
The Traveler is accessed by several URLs. One internal URL that is used by "BES"-managed devices and one external URL that is used by Android devices. The server itself only provided one certificate for the public address. While setting up BlackBerry10 devices we needed to manually trust the certificate that was provided by the Traveler.
So....how can I update the certificate without getting security warnings on the BlackBerry10 devices again ? This would be a catastrophe because every device sync would stop until the user accepts the new certificate.
Solution A - Use a Multidomain-certificate
Solution B - Use two certificates and Internet Site Documents for each keyring/certificate on your IBM Notes Traveler server
And also another hint: Collect information about the used URLs for your Traveler by activating the Domino Weblog .
Greetings,
Jan
recently my company decided to update the certificates to SHA-2-signed-certificates.
The Traveler is accessed by several URLs. One internal URL that is used by "BES"-managed devices and one external URL that is used by Android devices. The server itself only provided one certificate for the public address. While setting up BlackBerry10 devices we needed to manually trust the certificate that was provided by the Traveler.
So....how can I update the certificate without getting security warnings on the BlackBerry10 devices again ? This would be a catastrophe because every device sync would stop until the user accepts the new certificate.
Solution A - Use a Multidomain-certificate
Solution B - Use two certificates and Internet Site Documents for each keyring/certificate on your IBM Notes Traveler server
And also another hint: Collect information about the used URLs for your Traveler by activating the Domino Weblog .
Greetings,
Jan
Abonnieren
Posts (Atom)