Wednesday, November 5, 2014

IBM Domino TLS and SHA-2 support , bye bye Poddle we have the fix

IBM in last days has released 2 high important fix who insert support for TLS 1.0 on all protocol (HTTP, LDAP, IMAP, POP,SMTP)  for this Domino release version 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5 and also insert the support for SHA-2 certificates.

This is the compleate features list:

Added support for TLS 1.0:
  • Inbound and outbound connections
  • Over all protocols (HTTP, SMTP, LDAP, POP3, IMAP & DIIOP)
  • All platforms including support for IBM iSeries running System_SSL
  • SSL/TLS Session resumption
  • Client certificate authentication
  • TLS protocol support for TLS_FALLBACK_SCSV Signaling Cipher Suite Value to protect browser clients that also support TLS_FALLBACK_SCSV against downgrade attacks.
  • Will negotiate from TLS 1.0 and SSLv3 if other party does not support TLS 1.0. Note that protocol version *negotiation* is a different thing entirely from protocol *fallback*, as described in POODLE.
  • The cipher suite list offered by Domino when making outbound connections has been re-ordered to place the AES ciphers first.
  • Serviceability enhancements to make logging more thorough and easier to read and understand

  • Removed support:
    • SSLv2
    • SSL renegotiation has been disabled
    • All weak (<128 bits) cipher suites have been disabled

    Here a link to the wiki article for TLS fix

    The SHA-2 support was insert through a new command line tool named Kyrtool  who could handle SHA-2 request and import SHA-2 certificate in Domino kyr files.
    This tool could work only with Domino 9.01 FP2 IF1 and 9.0 IF6 , so here you have another reason to upgrade your Domino environment to 9 if you are still on older release !

    No comments:

    Post a Comment