The World NEXT ends
Recent Entries
- Driving around Baton Rouge yes
- Looks notable: Google, Microso
- Perspective - Welcome to the t
- and the spinning is on... IBM
- Trying to work out what was mi
- Three points that Lotusphere,
- I, Cringley: IBM’s reor
- Domino customer? Please call I
- IBM’s POODLE TLS fixes f
- Rethinking Ray Ozzie
- Good! Communication on upcomin
- What IBM’s response to t
- I, Cassandra? If you’re
- Apparent (small) update from I
- Poor Domino users. For folks w
- Re: IBM Domino and SHA-1 / SHA
- Hey, IBM! While you’re a
- Google accelerates end of SHA-
- (Repost): IBM... PLEASE update
- Something was added in the lat
Blog Roll
Categories
Archives
- April 2016 (1)
- March 2016 (1)
- January 2015 (7)
- November 2014 (1)
- October 2014 (7)
- September 2014 (1)
- August 2014 (2)
- November 2012 (1)
- December 2011 (3)
- September 2011 (1)
- August 2011 (1)
- July 2011 (4)
- May 2011 (1)
- April 2011 (1)
- February 2011 (1)
- January 2011 (8)
- December 2010 (9)
- October 2010 (1)
- September 2010 (2)
- August 2010 (4)
- July 2010 (4)
- June 2010 (1)
- May 2010 (6)
- April 2010 (11)
- March 2010 (7)
- January 2010 (17)
- December 2009 (6)
- October 2009 (6)
- September 2009 (9)
- August 2009 (6)
- July 2009 (4)
- March 2009 (6)
- February 2009 (9)
- January 2009 (16)
- December 2008 (11)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (23)
- July 2008 (18)
- June 2008 (4)
- May 2008 (6)
- April 2008 (2)
- March 2008 (7)
- February 2008 (8)
- January 2008 (24)
- December 2007 (16)
- November 2007 (19)
- October 2007 (16)
- September 2007 (5)
- July 2007 (1)
- June 2007 (13)
- May 2007 (34)
- April 2007 (29)
- March 2007 (1)
- January 2007 (1)
Links
After much worrying non-communication, IBM came out with the initial POODLE for SSL patch and then the POODLE for TLS patch.
These were timely and clean fixes - thank you IBM for these.
I've included an email to IBM support regarding the fact that the POODLE SSL/TLS fixes break Domino as an internet-facing SMTP host... a role it Domino has served for many many organizations since the Notes Server R4 days.
If you are an IBM Domino customer, please call IBM support and open a PMR on this issue. Ask them to add the PMR to SPR LMES9QRUZY this will end weight to this issue and may sway development to actual fix this fundamental issue. (PMR = "Problem Management Record" | SPR = "Software Problem Report")
Craig Wiseman January 16th, 2015 12:56:27 PM
Hi Craig,
Can you please tell us how we can test for this problem. I've applied the TLS fixes and our server is still functioning well for STMP mail - how can I tell if we're missing things?
Here are my two posts on poodle which explain what we did;
Taming the Poodle
{ Link }
Part 2 - Applying the Fix which Won't Install
{ Link }
Did I miss something?
Thanks for the question Gavin! I see from your comment on my earlier post that you've worked out why y'all are not seeing this issue.
{ Link }
If you have some other service or device receiving your email first and then relaying it to Domino, and that vendor has taken the time and care to actually maintain the security stack of their product, you won't see the issue.
IF1 for Domino 9.0.1FP3 was released and contains SPR LMES9QRUZY. As default SSLv2 handshake seems to be deactivated. Interesting is the fact that now in the log you will find this message: "This is probably an SSLv2 ClientHello record which is not supported by default to improve "out of the box" security."
...So by default it is not supported, how can I switch it on?!?...I suppose there must be a notes.ini parameter but I can't find any documentation....
Exactly, Cristian! I saw IF1 Sunday and loaded it, but I don't know what that means.
I guess I'll call support and see if they have any more detail on it.
Hi Craig. I got right now following notes.ini parameter concerning the SSLv2 ClientHello problem and SPR LMES9QRUZY from IBM support:
SL_ENABLE_INSECURE_SSLV2_HELLO=1
Have to wait for a service time slot to try it, will provide some feedback later on ....
Yes!!! It works! We can confirm it! We get the same console logs as Gilbert in the IBM Forum....
Now anyone asked IBM about previous fixpacks and previous versions of Domino?
BTW, most SSL 3.0 only web browsers also use the SSLv2 ClientHello (at least by default) which means they will also require this setting.
Discussion for this entry is now closed.