Apparently the POODLE vulnerability can be adapted to attack some TLS stacks, up to TLS 1.2 [1]. My servers are running behind a reverse proxy, and are NOT vulnerable, but I was hoping someone who wasn’t running a reverse procy could test their Domino with the SSL Labs tester [2].
[1] ImperialViolet - The POODLE bites again https://www.imperialviolet.org/2014/12/08/poodleagain.html
[2] SSL Server Test (Powered by Qualys SSL Labs) https://www.ssllabs.com/ssltest/index.html
Subject: Mine seems fine
I get dinged for SSL 3 and RC4 ciphers but otherwise SSLLabs gives me a B.
This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO =BB
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO =BB
There is no support for secure renegotiation. MORE INFO =BB
The server does not support Forward Secrecy with the ref= erence browsers. MORE INFO =BB
This server supports TLS=5FFALLBACK=5FSCSV to prevent pr= otocol downgrade attacks.
Howard
Subject: Here is more on this from Darren Duke
Darren Duke Blog Zone http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/poodle-tls-the-poodle-strikes-back.htm
Subject: Re. RC4 ciphers
We chose to leave RC4 ciphers enabled, since otherwise we’d risk locking out too many wanted visitors. Anyway, even with RC4 enabled we are getting B – with Domino hidden behind nginx as reverse proxy.
Subject: It’s a TLS issue not SSL
@Jeff - POODLE II is a TLS vulnerability. In my case have already disabled SSL2 and SSL3 via IHS DOMINO.CONF and SSL Labs reports us as a Fail due to the new TLS vulnerability.
What we need is a patch for Domino IHS from IBM.
Subject: can you disable tls1.0 and 1.1 at IHS
Can you force TLS1.2 at the IHS proxy?
similar as how you disabled sslv2 and v3 in the .conf file
and also disable tls1.0 and tls1.1
SSLProtocolDisable SSLv2 SSLv3 TLSv1 TLSv11
Subject: IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack
Having moved to using IHS with our v9.0.1 FP2 IF1 server that runs Traveler I now find that IHS is vulnerable to the new POODLE / TLS attack - SSL labs gives it a Big FAIL. “This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. MORE INFO » https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls”
We needed to disable SSL3 completely to be compliant with our organisations security policy and now I find IHS is vulnerable. Hopefully IBM will release an IHS fix ASAP.
Subject: We are investigating. Should have more to report tomorrow <>
Subject: IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack
Subject: Look here
in another thread this was reported to work:
Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730) http://www-01.ibm.com/support/docview.wss?uid=swg21692502
Workarounds and Mitigations
For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains “SSLEnable”:
SSLAttributeSet 471 1