Locations of visitors to this page

only search Wiseman.La

The World NEXT ends 


After much worrying non-communication, IBM came out with the initial POODLE for SSL patch and then the POODLE for TLS patch.

These were timely and clean fixes - thank you IBM for these.

I've included an email to IBM support regarding the fact that the POODLE SSL/TLS fixes break Domino as an internet-facing SMTP host... a role it Domino has served for many many organizations since the Notes Server R4 days.


If you are an IBM Domino customer, please call IBM support and open a PMR on this issue. Ask them to add the PMR to SPR LMES9QRUZY this will end weight to this issue and may sway development to actual fix this fundamental issue.
 (PMR = "Problem Management Record" | SPR = "Software Problem Report")

Image:Domino customer? Please call IBM support help get SMTP TLS/SSL fixed

Comments (9)
Craig Wiseman January 16th, 2015 12:56:27 PM

 Comments
1) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Gavin Bollard http://dominogavin.blogspot.com 1/17/2015 4:55:33 PM

Hi Craig,

Can you please tell us how we can test for this problem. I've applied the TLS fixes and our server is still functioning well for STMP mail - how can I tell if we're missing things?

Here are my two posts on poodle which explain what we did;

Taming the Poodle

{ Link }

Part 2 - Applying the Fix which Won't Install

{ Link }

Did I miss something?

2) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Craig Wiseman 1/17/2015 10:23:34 PM

Thanks for the question Gavin! I see from your comment on my earlier post that you've worked out why y'all are not seeing this issue.

{ Link }

If you have some other service or device receiving your email first and then relaying it to Domino, and that vendor has taken the time and care to actually maintain the security stack of their product, you won't see the issue.

3) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Cristian Abate 2/17/2015 6:59:23 AM

IF1 for Domino 9.0.1FP3 was released and contains SPR LMES9QRUZY. As default SSLv2 handshake seems to be deactivated. Interesting is the fact that now in the log you will find this message: "This is probably an SSLv2 ClientHello record which is not supported by default to improve "out of the box" security."

...So by default it is not supported, how can I switch it on?!?...I suppose there must be a notes.ini parameter but I can't find any documentation....

4) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Craig Wiseman 2/17/2015 8:08:57 AM

Exactly, Cristian! I saw IF1 Sunday and loaded it, but I don't know what that means.

I guess I'll call support and see if they have any more detail on it.

5) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Cristian Abate 2/18/2015 6:06:18 AM

Hi Craig. I got right now following notes.ini parameter concerning the SSLv2 ClientHello problem and SPR LMES9QRUZY from IBM support:

SL_ENABLE_INSECURE_SSLV2_HELLO=1

Have to wait for a service time slot to try it, will provide some feedback later on ....

6) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Cristian Abate 2/18/2015 8:33:23 AM

Gilbert seems to have implemented it sucessfully:

{ Link }

Can't wait to try it too.... ;-)

7) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Cristian Abate 2/19/2015 7:39:49 AM

Yes!!! It works! We can confirm it! We get the same console logs as Gilbert in the IBM Forum....

8) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Yuhong Bao http://yuhongbao.blogspot.com 2/24/2015 4:40:59 AM

Now anyone asked IBM about previous fixpacks and previous versions of Domino?

9) Domino customer? Please call IBM support help get SMTP TLS/SSL fixed
Yuhong Bao http://yuhongbao.blogspot.com 2/24/2015 5:41:04 AM

BTW, most SSL 3.0 only web browsers also use the SSLv2 ClientHello (at least by default) which means they will also require this setting.


Discussion for this entry is now closed.