Released - Domino server Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack

HCL Domino Domino Forum
21

Subject: Thanks a lot Mark

Thanks a lot Mark

22

Subject: same error here

Hi there,

I installed the fix on our 9.0.1FP2 server (with a self signed certificate), enabled the parameters SSL_ENABLE_INSECURE_RENEGOTIATE=1, DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2

We let the server run for about an hour. The TLS was working but we got the error “Mapping SSL error -6996 to 4166 [SSLProtocolErr]” on some domains.

And some of these domains are important clients/partners.

So, like Matt, we have disabled TLS so that we can receive most of our emails.

Matt also wrote this: “However, it is up to the sending SMTP server to initiate the retry using a non-encrypted connection if the SSL one fails.”

Is there any official documentation/standard specifying this?(Maybe an RFC)

And could someone please provide us with a link to it, so that we can send it to our clients/partners and encourage them to check their email setup.

I would also like to know what IBM intends to do about this?

Do you intend to fix it on the receiver side or is it not in your plans because it is the sender’s responsibility to retry using an unencrypted connection?

Also, in my personal experience, only one of our clients requires TLS to send us emails while most do not.

Wouldn’t it be possible to specify the domains or server IPs that require TLS somewhere (maybe in notes.ini) such that when they connect, domino uses TLS, but for remaining servers, Domino does not use any encryption?

Kind regards.

23

Subject: I see the same error

I have the exact same issue with a Java application that needs to send mail through Domino using secure SMTP. After upgrading to 901FP2HF353 the SSL connection fails.

I’ve turned on DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 and this is the only output I get:

[31711:00008-1607153408] 11/07/2014 01:47:49.29 PM SMTP CIServ Listen> Connection Accepted on Port 465 for Session 097639AD
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM SSLInitContext> User is forcing 3079 cipher spec bitmask
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM SSL_Handshake> Enter
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM SSL_Handshake> After handshake state= 3 Status= -6996
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM SSL_Handshake> Exit Status = -6996
[31711:00027-1570965248] 11/07/2014 01:47:49.30 PM int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]

Does anyone know what error -6996 means?

24

Subject: Try configuring your java application to explicitly specify SSLv3 or TLS instead of SSLv2

All support for SSLv2 was removed as part of this hotfix, including SSLv2 backwards compatibility mode.

Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2

25

Subject: Domino IHS Workaround: strict padding

Has anybody with Windows Domino & IHS tried this workaround setting to enforce “strict CBC padding” yet?

Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730) http://www-01.ibm.com/support/docview.wss?uid=swg21692502

Workarounds and Mitigations

For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains “SSLEnable”:

Enable strict CBC padding

SSLAttributeSet 471 1

26

Subject: SMTP inbound SMTP problems after Domino 9.0.1 FP2 IF1

Issue should be fixed with 9.0.1FP3 Interim Fix 1

LMES9QRUZY Problem with incoming SMTP TLS connections after update to Domino 9.0.1 FP2IF1

Interim Fixes for 9.0.1.x IBM Notes, IBM Domino & IBM iNotes http://www-01.ibm.com/support/docview.wss?uid=swg21657963

27

Subject: Problem with TLS1.0 on SMTP

Today I have installed the 901FP2HF353 Hotfix. Not for poodle, but we need TLS1.0 Support for securing SMTP.

This is working quite fine, Encypted connection using TLS1.0 is established. (SSL_Handshake> Protocol Version = TLS1.0 (0x301))

But the disadvantage is that the domino server doesn’t seem to support SSLV3 anymore.

Other Servers that only Support SSLV3 get an Error when they try to connect. ( 4.7.0 TLS handshake failed.)

Is it possible to additionally activate SSLV3 Support?

28

Subject: It does support SSL V3

See http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

What it turned off was the SSL renegotiation. You can turn that back on with the notes.ini parameter below.

  • SSL renegotiation can be re-enabled with SSL_ENABLE_INSECURE_RENEGOTIATE=1

Howard

29

Subject: Domino vulnerable to POODLE/TLS, too

There is a new form of the POODLE attack that can even affect TLS connections:

Qualys Community https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls

According to the test tool at ssllabs.com, this bug affects the Domino HTTP server with the TLS interim fix as well as the IHS front end server, too …

30

Subject: Problem after upgrading from 8.5.3 FP3 to 9.0.1 FP3

I have this same problem after upgrading to 9.0.1 FP3 and injecting the NOTES.INI parameter had no effect. Anyone has been through this?

31

Subject: LMES9QRUZY in 9.0.1 FP3 IF1

Unfortunately I can confirm your research. After applying IF1 we get the same error message. Furthermore we must disable SMTP inbound encryption so that we don’t miss critical mail.

32

Subject: Domino vulnerable to POODLE/TLS, too

Yes, you will now get an ‘F’ on SSL Server Test (Powered by Qualys SSL Labs) https://www.ssllabs.com/ssltest/ even after applying the patch.

33

Subject: LMES9QRUZY in 9.0.1 FP3 IF1

Concerning LMES9QRUZY: Can anyone confirm that? We implemented the IF1 for FP3 and we get now a different, more specific, “error message” but it still doesn’t work. The interesting thing is we get now the following message in the debug log:

This is probably an SSLv2 ClientHello record which is not supported by default to improve “out of the box” security. …So by default it is not supported, how can I switch this functionality on…is there maybe a notes.ini definition for it?

15.02.2015 20:42:43.19 [0EE4:000A-0E88] int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
15.02.2015 20:42:43.19 [0EE4:000A-0E88] SSL_Handshake> Enter
15.02.2015 20:42:43.19 [0EE4:000A-0E88] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
15.02.2015 20:42:43.19 [0EE4:000A-0E88] S_Read> Enter len = 5
15.02.2015 20:42:43.19 [0EE4:000A-0E88] S_Read> Switching Endpoint to sync
15.02.2015 20:42:43.19 [0EE4:000A-0E88] S_Read> Posting a nti_rcv for 5 bytes
15.02.2015 20:42:43.19 [0EE4:000A-0E88] SSL_RcvSetup> SSL not init exit
15.02.2015 20:42:43.21 [0EE4:000A-0E88] S_Read> Switching Endpoint to async
15.02.2015 20:42:43.21 [0EE4:000A-0E88] S_Read> nti_done return 5 bytes rc = 0
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSL_RCV> 00000000: 80 77 01 03 01 ‘.w…’
15.02.2015 20:42:43.21 [0EE4:000A-0E88] S_Read> Exit, read 5 bytes
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSLReadRecord> First 4 bytes of SSL/TLS record: 0x80 0x77 0x01 0x03
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSLReadRecord> This is probably an SSLv2 ClientHello record which is not supported by default to improve “out of the box” security
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSLReadRecord> See the SSLv2 page on the Notes/Domino wiki for more information.
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSL_Handshake> After handshake state= 3 Status= -6974
15.02.2015 20:42:43.21 [0EE4:000A-0E88] SSL_Handshake> Exit Status = -6974
15.02.2015 20:42:43.21 [0EE4:000A-0E88] int_MapSSLError> Mapping SSL error -6974 to 4171 [** unknown **]
15.02.2015 20:42:43 SMTP Server: ServerName_deleted (ip_deleted) connected
15.02.2015 20:42:43 SMTP Server: ServerName_deleted (ip_deleted) disconnected. 0 message[s] received

34

Subject: APAR/SPR from IBM

I submitted this error to IBM and after some back and forth this is what I got:

This is to inform you that we have confirmed thru internal testing that there are functionalities that were broken by the new hotfix. I created a new APAR#LO82706 and SPR # MJTM9QMLDC set to severity 1 for this issue. Thank you for reporting this problem. I will keep you posted for updates from our development team.

35

Subject: Exactly!

Which is exactly where I was when I asked what ciphers people recommended for use: http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=D804457CF4E7894B85257DA100787ABA http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=D804457CF4E7894B85257DA100787ABA

I’d (previously) disabled the weaker ciphers, then for the most recent issues disabled AES, then saw a post about Triple DES, then after posting found similar posts to what you mentioned about RC4. I decided to go running RC4 for now as I found (similar to Darren Duke’s blog) that by disabling 3DES, it’d raise my grade from ‘F’ to ‘B’.

But it still doesn’t look good.

I knew this InterWeb thing was just a fad, and it wasn’t here to stay!

:wink:

Rumor has it that there MAY be more ciphers to choose from someday down the line, but don’t hold your breath.

36

Subject: FWIW, nginx proxy will give you an “easy A”

All you need to do is put your Domino behind an nginx proxy. It’s not that hard. Here are the documents I used to put together my procedure:

frostillic.us :: Setting up nginx in Front of a Domino Server https://frostillic.us/f.nsf/posts/6AF303DE836BA02D85257D570058B1CA
Installing Nginx Reverse Proxy on CentOS for Domino Our Experience http://dominointerface.blogspot.com/2014/09/installing-nginx-reverse-proxy-on.html
http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/ http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/

Here is everything all put together:
https://wiki.trustedcomputer.it/xspwiki.nsf/dx/nginx_as_reverse_proxy_for_domino https://wiki.trustedcomputer.it/xspwiki.nsf/dx/nginx_as_reverse_proxy_for_domino

37

Subject: YES, TLS handshake now successful

This notes.ini parameter was the missing link.

Handshake conversation now starts like

18.02.2015 14:59:17,89 [19E0:000A-19D8] int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSL_Handshake> Enter
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSLReadRecord> Reading an insecure SSLv2 record by administrator request
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSL2ReadRecord> Reading an insecure SSLv2 record by administrator request
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSLProcessProtocolMessage> Record Content: 0
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSLProcessProtocolMessage> Received an insecure SSLv2 record; processing by administrator request
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSL2ProcessMessage> Message: 1
18.02.2015 14:59:17,89 [19E0:000A-19D8] SSL2ProcessClientHello> Processing SSLv2 ClientHello message requesting TLS1.0 (version 0x0301)

resulting to successful handshake

18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> After handshake2 state 3
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> Protocol Version = TLS1.0 (0x301)
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> KeySize = 128 bits
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> Current Cipher = 0x002F (RSA_WITH_AES_128_CBC_SHA)
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> SSLErr = 0
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> TLS/SSL Handshake completed successfully
18.02.2015 14:59:18,08 [19E0:000A-19D8] SSL_Handshake> Exit Status = 0
18.02.2015 14:59:18,08 [19E0:000A-19D8] int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]

38

Subject: With DEBUG_SSL_ALL=1 I see…

Log example for failing connections. These did not fail before 9.0.1 FP2 IF1 and also don’t fail now if “SSL Negotiated over TCP/IP port” is set to “1”. SSL V2 has not been enabled on the server for years:

[167C:0008-0FB4] 11/11/2014 04:16:55 PM SMTP Server: zoniac3.nmsrv.com (204.187.13.193) connected
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM SSL_Handshake> Enter
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM S_Read> Enter len = 5
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM S_Read> Switching Endpoint to sync
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM S_Read> Posting a nti_rcv for 5 bytes
[167C:0008-0BEC] 11/11/2014 04:16:55.80 PM SSL_RcvSetup> SSL not init exit
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM S_Read> Switching Endpoint to async
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM S_Read> nti_done return 5 bytes rc = 0
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM SSL_RCV> 00000000: 80 8F 01 03 01 ‘…’

[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM S_Read> Exit, read 5 bytes
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM SSL_Handshake> After handshake state= 3 Status= -6996
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM SSL_Handshake> Exit Status = -6996
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]
[167C:0008-0BEC] 11/11/2014 04:16:55 PM SMTP Server: zoniac3.nmsrv.com (204.187.13.193) disconnected. 0 message[s] received

IBM support escalated the PMR for this to severity 1 today based on prior logs sent previously, which look just like above.

39

Subject: That’s an SSLv2 message

That’s an SSLv2 handshake message offered up by the client for backwards compatibility with servers that only support SSLv2. You can tell by the first byte – it’s 0x80, not 0x16.

I’ve expanded the documentation to include the notes.ini and console messages to help people diagnose this problem. This is not a bug – use of SSLv2, including backwards compatibility mode, has been prohibited since 2011 by RFC 6176.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2
[167C:0008-0BEC] 11/11/2014 04:16:55.84 PM SSL_RCV> 00000000: 80 8F 01 03 01

40

Subject: Re: Yes, that is a sucessful TLS 1.0 handshake

Thanks, Dave.

So, with IF1 and SSL enabled, I do get successful, encrypted inbound SMTP connections from senders such as Hotmail. But, there are others that now fail (such as inbound mail connections from Twitter). The senders that are failing after IF1 had no problem sending prior to the update. Others could not send us mail prior to the IF1 update – presumably because they had configured their server to send using TLS 1.0+ and Domino only supported up to SSL 3. These “others” worked fine after the IF1 update, but it broke different senders, such as Twitter. THAT is the heart of the problem.

The only way for me to receive 99.9%+ of mail at the moment is to disable the requirement for encryption. We’ve had high-security clients in the past who would not send without encryption, and if we encounter another one of those right now I’ll be unable to set the Domino configuration in a way that satisfies the conflicting requirements.