only search Wiseman.La

The World NEXT ends 

There's been a justifiable bit of a hullabaloo about security and IBM Domino (nee Lotus Domino).

The biggest point lately concerning Domino's shameful lack of general support for modern Web security has hinged around Domino's support for only the
SHA1 hash. What's sad about this is that "The first signs of weaknesses in SHA1 appeared (almost) ten years ago. - Qualys Blog". Ten years ago... back when IBM gave the appearance of caring about Domino's future.

Now Google has announced (bolding is mine):

The use of SHA-1 within TLS certificates is no longer sufficiently secure. This is an intent to phase them out (in 2-3 years). In order to make such a phase-out execute smoothly, rather than be an Internet flag day, we will be degrading the experience when these certificates are used in the wild.

Google's full proposal, "Intent to Deprecate: SHA-1 certificates"

ZDnet discussion, "Google accelerates end of SHA-1 support; certificate authorities nervous"

This apparently means that in Google Chrome, your "secure" Domino websites will get a user interface indicator that there's something wrong, or not up to snuff with your site.

Just to remind you, as of 09/11/2014, here's IBM's official stance on SHA2 support:
click to see on IBM's site

When trying to import the root CA, with a key length of 4096 and SHA-256, the following error appears:

"Certificate signature does not match contents."

Is it possible to use a CA with a key length of 4096 and SHA-256 with Domino 8.x or 9.0.x?

Resolving the problem

No, Domino does not support SHA-2; only MD5, SHA-1, and DSA are currently supported. SPR # ABAI7SASE6 (APAR LO48388) has been submitted to Quality Engineering to request support for SHA-2 in future releases.

IMPORTANT: This SHA1 discussion is only a small piece of this issue.
Traditionally, Lotus, then IBM has been a good steward and added new features and security to Domino as things evolved. Before v4.6, Domino didn't even have a web server (actually, it was called the Notes server before v4.6), and SMTP was originally a separate piece that hooked into the Notes server. LDAP, POP3, XML, RSS, etc... all were added and melded into the product over time. We need TLS 1.2+, DKIM, DMARC, etc.

Very simply and clearly, it's time for IBM to continue this process and add full TLS 1.3 support for all Domino services (HTTPS, SMTP, POP3, LDAP, IMAP, etc) on all platforms.

Otherwise, better hope Rose has some room on the plank for you.

Titantic hitting the iceberg

Comments (4)
Craig Wiseman September 11th, 2014 11:25:15 AM