I’d like to point out that both links above (i.e. Technotes 1687167 and 1418982) are official IBM statements, please note the following exerpt from Technote 1687167 - How is IBM Domino impacted by the POODLE attack? http://www-01.ibm.com/support/docview.wss?uid=swg21687167:
IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack. Implementing TLS 1.0 for Domino will protect against the POODLE attack and will allow browsers to still connect to Domino after they have been changed to address the POODLE attack.
On a related note, and I stress this is NOT a commitment from IBM, but we are being told internally …“We do not have the specific date when these fixes will be available, however the plan is to have them available for your customers well in advance of 25 Nov 2014.” (emphasis provided in original internal blogpost - not my own).
Finally, and I’m sorry I have to do this, but… IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Let’s hope IBM is using the Traveler team’s development mindset when coming up with the fixes, “it just works… you don’t have to screw with it endlessly”
For those who are unwilling / unable to wait for IBM’s official statement on this, Domino can be configured with an IBM IHS server to support TLS connections from end users. NOTE: This IHS server module is supported only on Windows.
Remember you will also need to use the “SSLProtocolDisable SSLv3” configuration parameter in the IHS server config to disable SSLv3 or use other parameters to disable affected modes (if that’s even possible - POODLE affects padding on CBC encryption modes, although I cannot state if modes like ECB are immune , and they may also suffer from other catastrphic secruity flaws. Still, this is potentially an option if your clients cannot support TLS). I would also recommend taking out SSLv2 - given attacks like BEAST etc.
If setting up this approach you should also cosider making sure your Domino servers are only accessible by the IHS server (i.e. firewall off other connections, if using the same machine, bind domino only to localhost).
Once again - THIS IS NOT AN OFFICIAL IBM STATEMENT AND THIS APPROACH MAY NOT BE SUPPORTED.
Subject: Don’t worry, the other protocols have not been forgotten
The technote regarding the POODLE attack on web browsers was naturally focused on HTTP, whereas the technote for SSL/TLS certificates signed with SHA-2 was applicable for all protocols. I’m rather busy at the moment, but will share what I can when I can.
Like Jeff and Simon, I am waiting for Domino to release TLS 1.0 for SMTP.
We recently stopped receiving emails from a certain company. It was hard to troubleshoot as the company that was unable to send us emails was the local branch of an international company and their email was hosted on a foreign provider. And they did not have local IT staff. After a lot of asking around we managed to get a server log extract with the technical reason for the failure: “TLS handshake failed.”
And that is what brought me here…
Now if only IBM had sent us a communiqué to inform us about this vulnerability, maybe we would not have wasted days trying to figure out the problem…and lost important emails in the process…
And that would also have prevented a lot of user frustration.
I get lots of emails from IBM (e.g. Open Mic Webcast, Ask the Experts session). The last one I received was “IBM explores the next wave of technology.” on the 27/10/14. I find it disturbing that when there is an issue that might affect mail delivery (which is critical), IBM did not notify us of this.
PayPal has announced, that they will terminate the SSL3.0 at 3.12.2014. So i will repeat my question about the Microsoft ServerXMLHTTP-Object via LotusScript. The direction from PayPal to the Domino system will work with the apache based http-server. But the request from domino to PayPal? Thanks for any information!
Subject: Re: Poodle SSL vulnerability (need IBM response)
An excellent question, Mr. Gibbs. This is of immediate and compelling interest to ALL IBM Domino admins, developers, and users.
IBM has traditionally portrayed itself as a key vendor of secure and reliable software.