FWIW, we installed the reverse proxy IBM HTTP server on our test machine (win 2008 R2) without any problems so far, and removed SSLv3 without issues. I just thought I’d mention, since others had reported difficulties.
We’d been warned there was a bug where IHS would quit if an admin logged into the server and then logged out, but we have not seen this problem. The proxy server is 32-bit, but works fine with our 64-bit 9.01FP1 domino server (so far).
We have not done any heavy-duty testing, just “does it work” testing.
If I advise all my customers to disable SSLv3 in Domino they will no longer be able to establish a secure HTTP/SMTP/LDAP/IMAP etc session with the server!!!
They will very soon decide that moving to another product is the right way for them! Please speak to your managers and address this issue directly… They are waiting for an official IBM response that directly answers their concerns regarding Domino, not a woolly general statement that would end with them not able to connect to their servers.
“With this Interim Fix, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP.”
Thank you for this Information! But what is the SSL-security level if i call an URL with the Microsoft ServerXMLHTTP-Object via LotusScript? As far as i know, the encryption comes from the application which calls this dll. It would be nice if there was a statement from IBM.
Our ISP shut down all our Outbound mail due to lack of support for TLS over SMTP. This is unacceptable for us and I would assume for just about any company. Thus we had to route all our mail directly to the Internet which by-passed all the security features we were paying for from our ISP. They have since patched to let us back in but we were down for about 2 hours yesterday, UNACCEPTABLE!
IBM please pay attention to those of use using Domino for our SMTP gateway. IHS is for HTTP only. A support rep from IBM sent us an email telling us to configure IHS for TLS for our SMTP server. I was shocked at the lack of knowledge about this.
Please do NOT forget many of us need a fix for TLS for SMTP SMTP SMTP SMTP SMTP SMTP SMTP!!!
Subject: Our experience using IHS for SSL traffic into Domino
I have been working with IBM Support for the past two weeks to enable the IHS server on the Domino server for HTTP. So far, we have success at getting port 80 traffic through IHS to the Domino server, and are still trying to get port 443 traffic from IHS through to the Domino server - we get an error message - The Connection was Interrupted in FireFox
We used the IKeyMan utility to get the SSL certificates into the IHS system - the Domino keyring files are not used in this configuration.
Here are links to some of this, and I will post more as this evolves.
Google will start flagging this in browsers Nov1, and the the others will follow suit shortly
A public statement is actively being worked. Before we publish, we need to complete our fix and delivery plans. This statement will be available shortly.
This thread is the #1 hit when you Google “Poodle Domino IBM” so it would be a good place to update some status. Dave K., as always your input is appreciated but do we have an official word from IBM yet (maybe I missed it)? Right or wrong, I have customers that are freaking out.
If the client and server are in a secure internal network then they should not be at risk to this SSL 3.0 vulnerability.
“if an attacker that controls the network between the client and the server interferes with any attempted handshake”…
The attacker gets between the user’s browser and the web server in the network, and causes multiple protocol downgrade handshakes and captures a little more HTTP cookie information each time,
FYI: This post is in regards to the SSLv3 vulnerability (CVE-2104-3566) that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Please actively monitor both your IBM Support Portal for available fixes and mitigations and this blog for additional information. IBM recommends that you review your entire environment to identify areas that enable the SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions. Announcements - What's New | IBMhttps://www-304.ibm.com/connections/blogs/PSIRT/entry/sslv3_vulnerable_to_cve_2014_3566_poodle_attack?lang=en_us
But what is the SSL-security level if i call an URL with the Microsoft ServerXMLHTTP-Object via LotusScript? As far as i know, the encryption comes from the application which calls this dll. It would be nice if there was a statement from IBM.