Donnerstag, 18. Februar 2016

IBM Domino and TLS - Part 2 - How To fix your trust & security issues



"Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2"
You will only have to request a SHA2 signature the next time you order a certificate from your trusted certificate vendor. In most cases you should also be able to request a change/update of your certificates for no further charge. Please keep in mind that you will have to use the KYR tool to merge SHA2-signed stuff into your keyring.
I recommend reading this article form netcraft.com to get some further Information regarding SHA. Including a cost calculation for cracking SHA1 signed things.

"The server supports only older protocols, but not current best TLS 1.2"
That is a pretty easy one: You will only have to update your Domino Server to the most recent release. Domino supports TLS1.2 starting with 9.0.1.3 IF2.

"The server private key is too small and insecure"
You will have to create a new key with >2048bits and a new certificate/certificate request based on the new key for this. You can use some free tools like XCA or OpenSSL to create this key.
Please keep in mind that the generated keys created by tools like XCA may not be as random as other keys that are created by mouse movement / other random functions.
Eingestellt von um Keine Kommentare:

Montag, 15. Februar 2016

multiple vulnerabilities in Java SDK affecting Notes and Domino

A few days ago the IBM reported multiple vulnerabilities in the Java SDK that affects all Notes-&Domino Versions - including 9.0.1.5 .
You may find a summary of all(12!) vulnerabilities here and (Notes) here (Domino).
The vulnerabilities reach CVSS Scores  from 4 up to 10(max. value) and should be fixed asap. IBM offers several JVM patches for most Domino/Notes versions. If you can not find what you need you will have to open a PMR and request a custom fix.
Summary
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 SR16FP15 that is used by IBM Notes Standard Client. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”.
Just two weeks ago I already needed to update all our Domino Servers because of this vulnerability .
Let us hope that it will be the last one in this quarter.

 

Eingestellt von um Keine Kommentare:
Abonnieren Posts (Atom)