The World NEXT ends
Recent Entries
- Driving around Baton Rouge yes
- Looks notable: Google, Microso
- Perspective - Welcome to the t
- and the spinning is on... IBM
- Trying to work out what was mi
- Three points that Lotusphere,
- I, Cringley: IBM’s reor
- Domino customer? Please call I
- IBM’s POODLE TLS fixes f
- Rethinking Ray Ozzie
- Good! Communication on upcomin
- What IBM’s response to t
- I, Cassandra? If you’re
- Apparent (small) update from I
- Poor Domino users. For folks w
- Re: IBM Domino and SHA-1 / SHA
- Hey, IBM! While you’re a
- Google accelerates end of SHA-
- (Repost): IBM... PLEASE update
- Something was added in the lat
Blog Roll
Categories
Archives
- April 2016 (1)
- March 2016 (1)
- January 2015 (7)
- November 2014 (1)
- October 2014 (7)
- September 2014 (1)
- August 2014 (2)
- November 2012 (1)
- December 2011 (3)
- September 2011 (1)
- August 2011 (1)
- July 2011 (4)
- May 2011 (1)
- April 2011 (1)
- February 2011 (1)
- January 2011 (8)
- December 2010 (9)
- October 2010 (1)
- September 2010 (2)
- August 2010 (4)
- July 2010 (4)
- June 2010 (1)
- May 2010 (6)
- April 2010 (11)
- March 2010 (7)
- January 2010 (17)
- December 2009 (6)
- October 2009 (6)
- September 2009 (9)
- August 2009 (6)
- July 2009 (4)
- March 2009 (6)
- February 2009 (9)
- January 2009 (16)
- December 2008 (11)
- November 2008 (6)
- October 2008 (2)
- September 2008 (11)
- August 2008 (23)
- July 2008 (18)
- June 2008 (4)
- May 2008 (6)
- April 2008 (2)
- March 2008 (7)
- February 2008 (8)
- January 2008 (24)
- December 2007 (16)
- November 2007 (19)
- October 2007 (16)
- September 2007 (5)
- July 2007 (1)
- June 2007 (13)
- May 2007 (34)
- April 2007 (29)
- March 2007 (1)
- January 2007 (1)
Links
There's been a justifiable bit of a hullabaloo about security and IBM Domino (nee Lotus Domino).
The biggest point lately concerning Domino's shameful lack of general support for modern Web security has hinged around Domino's support for only the SHA1 hash. What's sad about this is that "The first signs of weaknesses in SHA1 appeared (almost) ten years ago. - Qualys Blog". Ten years ago... back when IBM gave the appearance of caring about Domino's future.
Now Google has announced (bolding is mine): The use of SHA-1 within TLS certificates is no longer sufficiently secure. This is an intent to phase them out (in 2-3 years). In order to make such a phase-out execute smoothly, rather than be an Internet flag day, we will be degrading the experience when these certificates are used in the wild.
Google's full proposal, "Intent to Deprecate: SHA-1 certificates"
ZDnet discussion, "Google accelerates end of SHA-1 support; certificate authorities nervous"
This apparently means that in Google Chrome, your "secure" Domino websites will get a user interface indicator that there's something wrong, or not up to snuff with your site.
Just to remind you, as of 09/11/2014, here's IBM's official stance on SHA2 support:
click to see on IBM's site
Problem
When trying to import the root CA, with a key length of 4096 and SHA-256, the following error appears:
"Certificate signature does not match contents."
Is it possible to use a CA with a key length of 4096 and SHA-256 with Domino 8.x or 9.0.x?
Resolving the problem
No, Domino does not support SHA-2; only MD5, SHA-1, and DSA are currently supported. SPR # ABAI7SASE6 (APAR LO48388) has been submitted to Quality Engineering to request support for SHA-2 in future releases.
IMPORTANT: This SHA1 discussion is only a small piece of this issue. Traditionally, Lotus, then IBM has been a good steward and added new features and security to Domino as things evolved. Before v4.6, Domino didn't even have a web server (actually, it was called the Notes server before v4.6), and SMTP was originally a separate piece that hooked into the Notes server. LDAP, POP3, XML, RSS, etc... all were added and melded into the product over time. We need TLS 1.2+, DKIM, DMARC, etc.
Very simply and clearly, it's time for IBM to continue this process and add full TLS 1.3 support for all Domino services (HTTPS, SMTP, POP3, LDAP, IMAP, etc) on all platforms.
Otherwise, better hope Rose has some room on the plank for you.
.
Comments (4)
Craig Wiseman September 11th, 2014 11:25:15 AM