I noticed that this site (www-10.lotus.com) shows TLS 1.2 and 256-bit encryption signature. My server, now using a SHA-2 certificate, still says TLS 1.0. Also, SSL 3.0 is still enabled and some security sites are recommending disabling. I only have a single V3 cipher enabled (AES 256). Should I (if so, how do I?) disabled SSL 3.0 support totally? Since modern browsers support TLS, I don’t see why not. Is there a notes.ini setting and/or other configuration change needed? I disabled SSL renegotiation. At this stage, I just want to see better scores. I’m still sitting at a “C” using Qualys SSL Labs https://www.ssllabs.com/ssltest/ site (excellent tool -w- detailed output).
***Also, just curious, why does the KYRTOOL need access to the notes.ini? Does it make an API call or check for a notes.ini setting?
I know we are late to TLS. It does take time to code. We had TLS 1.0 code further along and decided it was appropriate to deliver that to get something out quickly. TLS 1.2, suffice to say we are sizing and working on it but SEC Regulations prohibit us from making forward looking statements to the level of detail that you would want. All I can say is watch this space technote http://www-01.ibm.com/support/docview.wss?uid=swg21418982 and focus on this point:
IBM is committed to delivering a secure and reliable offering. It is our intention to continue to address general enhancements including security updates as is our general practice in our product development cycles or in our ongoing subscription updates.
I know I must be spoiled that the old method was fairly easy, but (and I’m sure like many other admins), I only have to request certificates every couple years - this method is terrible! What about an actual workable solution? I don’t have a linux box laying around to work with - Running thru this process I have know Idea what I’ll end up with!
I understand that OpenSSL IS available for Windows; my frustration lies in the fact the the only ‘documented’ procedure now for obtaining certificates is an example of using a linux tool, there are no examples of using the Windows version, which has its own idiosyncrasies.
I feel a little more confident after reading Michael’s notes, and hope to submit my certificate requests today, and will report back…
Subject: Domino 9.0.1.2 with IF (No TLS 1.2?) - Disappointing IBM
Hello,
Thanks for your response. Am I the only person severely frustrated/disappointed with the lack of transport security in Domino? TLS 1.2 was released in 2008 and IBM just scrambled to add TLS 1.0, the initial release from 1999, because of Google’s pressure tactics!?! Who’s defining standards these days? I expect IBM to be at the forefront. This is incredibly disappointing. Have a great day.
***Why does the network manager support TLS 1.2 and not Domino? It sounds like a lack of support for the product line.
The www-10.lotus.com environment uses a network manager that supports TLS 1.2, so that is why you’re seeing it. The TLS support in IF1 for native Domino is currently TLS 1.0.