Released - Domino server Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack

Subject: Debug Output

Hello,

it is not much but I hope anyone can read something out of it:

[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Enter
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> After handshake state= 3 Status= -6996
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Exit Status = -6996
[0318:0008-1374] 11/06/2014 17:33:47.61 int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]

Subject: That log appears truncated - is there anything else showing up on the server console? <>

Subject: Interim Fix also breaks directory assistance connection over LDAPS

We installed this hot fix to today. TLS worked fine when connecting to our Domino server. However, our Domino server uses directory assistance to connect to an external LDAP server and this connection no longer worked. IBM has said this issue will be fixed in 9.0.1 Fix Pack 3 which is due out in the first quarter of 2015.

Subject: IBM response to support issue about TLS and SMTP

For those of you who’ve been following, I’ve had many back and forths with IBM about the failure of inbound secure SMTP connections after implementing TLS 1.0. Their latest reply was to say they removed all SSLv2 support when the TLS hotfix was rolled out as per http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2

If you look at the RFC’s cited, however, you’ll note that SSLv2 CLIENT-HELLO message formats CAN be accepted by servers that only support TLS. It is perfectly legal. The way they are handled is constrained, and the server isn’t allowed to actually negotiate SSLv2 traffic, but the connection attempt and hello are NOT supposed to be rejected out of hand.

Here is my full email response to IBM support. We’ll see what happens.

My interpretation of this response is that it says my Domino server is working as designed given the Fix Pack, and Interim Fix it is running.

I was already aware of the referenced information with regards to SSLv2 Handshake Messages. If this is the rationale being used to explain why my server can’t accept various secured incoming SMTP connections (so that it, ironically, must run SMTP in the clear to function), I believe the RFC cited is possibly being misinterpreted. From RFC 6167 https://tools.ietf.org/html/rfc6176in the section “3. Changes to TLS” it says:

3. Changes to TLS

Because of the deficiencies noted in the previous section:

o TLS clients MUST NOT send the SSL version 2.0 compatible CLIENT-
HELLO message format. Clients MUST NOT send any ClientHello
message that specifies a protocol version less than
{ 0x03, 0x00 }. As previously stated by the definitions of all
previous versions of TLS, the client SHOULD specify the highest
protocol version it supports.

o TLS servers MAY continue to accept ClientHello messages in the
version 2 CLIENT-HELLO format as specified in RFC 5246 [TLS1.2],
Appendix E.2. Note that this does not contradict the prohibition
against actually negotiating the use of SSL 2.0.

o TLS servers MUST NOT reply with an SSL 2.0 SERVER-HELLO with a
protocol version that is less than { 0x03, 0x00 } and instead MUST
abort the connection, i.e., when the highest protocol version
offered by the client is { 0x02, 0x00 }, the TLS connection will
be refused.

Yes, clients are not supposed to send SSLv2 compatible CLIENT-HELLO message format. But, as stated in the second bullet point the server can continue to accept these SSLv2 CLIENT-HELLO message formats so long as it doesn’t negotiate a SSLv2 connection. The server should respond with an allowed protocol version AND it should only abort the connection when the highest protocol version offered by the client is insufficient.

So SSLv2 CLIENT-HELLOs are not supposed to be simply rejected out of hand, but the response type is restricted and the connection refused only if the client doesn’t offer a high enough protocol version.

It appears to me from the IBM statement that possible TLS 1.0 connections are being refused simply because the client sent a SSLv2 CLIENT-HELLO, something that is allowed by the RFC.

I’d also like to reference RFC 5246 Appendix E https://tools.ietf.org/html/rfc6176#appendix-E.2which says, among other things:

Note: some server implementations are known to implement version
negotiation incorrectly. For example, there are buggy TLS 1.0
servers that simply close the connection when the client offers a
version newer than TLS 1.0. Also, it is known that some servers will
refuse the connection if any TLS extensions are included in
ClientHello. Interoperability with such buggy servers is a complex
topic beyond the scope of this document, and may require multiple
connection attempts by the client.

AND

However, even TLS servers that do not support SSL 2.0 MAY accept
version 2.0 CLIENT-HELLO messages.

So, what am I dealing with here? Since currently IBM Domino 9.0.1, even when fully patched, only supports up to TLS 1.0, is it one of these “buggy TLS 1.0 servers” as described in RFC 5246?

As you know, I currently have little choice but to run SMTP without any encryption at all because if the current TLS 1.0 encryption is turned on I can’t accept secure SMTP server connections from a variety of clients of ours – as well as that little $23-billion company named Twitter.

Is the conclusion here that Twitter only sends mail with SSLv2? Or is it that such senders support higher encryption but that my Domino server cuts the connection when it sees an SSLv2 CLIENT-HELLO, which actually is allowed by RFC?

Subject: (more) With DEBUG_SSL_ALL=1 I see…

Dave,

This is what I see for a “successful” inbound SSL/TLS SMTP connection. At least I think it is a successful. I don’t know enough about the log format to be sure it was encrypted or failed and fell back to unencrypted. It is waaaay longer than the example you posted for a successful SSL connection. I snipped the middle of it this to keep it half way reasonable. This is an inbound SMTP connection from Hotmail.

[1AEC:000A-12E8] 11/11/2014 05:04:04 PM SMTP Server: bay004-omc4s17.hotmail.com (65.54.190.219) connected
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> nti_done return 5 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000000: 16 03 01 01 06 ‘…’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Exit, read 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Enter len = 262
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Posting a nti_rcv for 262 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> nti_done return 262 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000000: 10 00 01 02 01 00 BF 06 63 44 E7 A1 37 15 7C B3 ‘…?.cDg!7.|3’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000010: F3 C9 83 49 79 C1 05 83 17 BB 25 1B 1F 3B 1A D9 ‘sI.IyA…;%…;.Y’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000020: BD 66 73 EC 0F DC 1A F3 C1 D0 BF 2C 8A BF C5 DB ‘=fsl..sAP?,.?E[’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000030: 07 19 42 DE 92 7A E2 A4 E8 2F 83 CA 26 3F 87 D1 ‘…B^.zb$h/.J&?.Q’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000040: DB 3C E8 46 8F 3C CB B4 01 14 F1 21 26 8B E2 D2 ‘[<hF.<K4…q!&.bR’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000050: CA 6D DA D1 9B DF 8F A9 8E F2 5B EE F2 A4 67 6F ‘JmZQ..).r[nr$go’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000060: 5D F7 BA 70 67 3A B4 8E A6 07 3D 68 46 B1 23 F5 ‘]w:pg:4.&.=hF1#u’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000070: DE EB 88 17 51 70 30 85 19 E6 48 ED B6 C3 D3 85 ‘^k…Qp0…fHm6CS.’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000080: 2F B6 4F E0 91 41 12 10 19 A8 43 37 37 66 E5 2F ‘/6O`.A…(C77fe/’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000090: 3D 9D 2A 4C A1 79 2E F1 9C 45 95 64 5F 2D 7A AB '=.*L!y.q.E.d-z+’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000A0: 0D EA 50 B3 46 F8 40 98 D3 CA E2 A8 F2 9E 6E B3 ‘.jP3Fx@.SJb(r.n3’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000B0: AB DE 51 72 AB C3 B9 31 3B 83 0F 02 7D 83 B7 60 ‘+^Qr+C91;…}.7`’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000C0: 9E 7A 83 CC DC 05 AA EB 1F 96 6E F0 E7 3E D8 0A ‘.z.L.*k…npg>X.’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000D0: FF 3A 99 AE 06 FA 40 F0 F7 63 9B E0 B3 3E CE 7D ‘.:…z@pwc.`3>N}’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000E0: FC AE 99 E4 CF 34 71 BA 80 EF 52 93 AA EA 9D 28 ‘|…dO4q:.oR.j.(’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 000000F0: 55 FA C4 29 28 13 4F AF D2 A3 5D 3B B7 70 7C 7D ‘UzD)(.O/R#];7p|}’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000100: 1D AB C8 20 9B D1 ‘.+H .Q’
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM S_Read> Exit, read 262 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> After handshake2 state 13
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Exit Status = -5000
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Enter
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Enter len = 5
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Posting a nti_rcv for 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> nti_done return 5 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000000: 14 03 01 00 01 ‘…’
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Exit, read 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Enter len = 1
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Posting a nti_rcv for 1 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> nti_done return 1 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000000: 01 ‘.’
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Exit, read 1 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> After handshake2 state 14
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Exit Status = -5000
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Enter
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Enter len = 5
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Posting a nti_rcv for 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> nti_done return 5 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000000: 16 03 01 00 30 ‘…0’
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Exit, read 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Enter len = 48
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Posting a nti_rcv for 48 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM S_Read> nti_done return 48 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000000: DD C0 05 7E F8 F3 58 FD 6F 7F 43 21 4E 21 74 E3 ‘]@.~xsX}o.C!N!tc’
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000010: DE 98 BC AD 20 4A 3C 2A 2D AB 43 D5 94 DA 02 AC '^.<- J<-+CU.Z.,’
[1AEC:000A-1C08] 11/11/2014 05:04:04.30 PM SSL_RCV> 00000020: 1F 9E 41 2C 9E 3C 1F AB B4 07 6C 0F 91 FA 4F 69 ‘…A,.<.+4.l…zOi’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Read> Exit, read 48 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Enter len = 6
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Xmt> 00000000: 14 03 01 00 01 01 ‘…’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Posting a nti_snd for 6 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_EncryptData> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_EncryptDataCleanup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> nti_done return 6 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Exit, wrote 6 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Enter len = 53
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Xmt> 00000000: 16 03 01 00 30 77 12 94 B2 E3 02 10 24 4F 80 B1 ‘…0w…2c…$O.1’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Xmt> 00000010: 23 4E 73 35 AD 77 75 94 32 D8 22 B0 1E 95 9A F0 ‘#Ns5-wu.2X"0…p’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Xmt> 00000020: D8 AD E7 45 87 F5 26 59 A6 50 EB 54 7F 22 A0 41 ‘X-gE.u&Y&PkT." A’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Xmt> 00000030: DD C8 68 86 AB ‘]Hh.+’
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Switching Endpoint to sync
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Posting a nti_snd for 53 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_EncryptData> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Switching Endpoint to async
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_EncryptDataCleanup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> nti_done return 53 bytes rc = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_Write> Exit, wrote 53 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> After handshake2 state 3
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Protocol Version = TLS1.0 (0x301)
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> KeySize = 256 bits
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Current Cipher = 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> SSLErr = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> TLS/SSL Handshake completed successfully
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Exit Status = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_ReadGetBytesNeeded> Need to 5 more bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_ReadAsync> Enter len = 5
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_ReadAsync> Posting a nti_rcv for 5 bytes
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_RcvSetup> SSL not init exit
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM S_ReadAsync> Exit
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_Poll> Enter
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_Poll> Rcv has completed, adding 5 to Rcv Ring
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_Poll> Rcv has completed, RingFreeSize 32766
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_Poll> Current rcv ring data size is: 5
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_ReadGetBytesNeeded> Removing 5 from the Rcv Ring
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_ReadGetBytesNeeded> Need to 64 more bytes
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM S_ReadAsync> Enter len = 64
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM S_ReadAsync> Posting a nti_rcv for 64 bytes
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM SSL_RcvSetup> SSL not init exit
[1AEC:0007-1C08] 11/11/2014 05:04:04.57 PM S_ReadAsync> Exit

<snip: this sort of thing repeated 11 more times. If the whole thing is needed to make sense, let me know…>

[1AEC:000A-1C08] 11/11/2014 05:04:05.44 PM S_ReadAsync> Exit
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_Poll> Enter
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_Poll> Rcv has completed, adding 5 to Rcv Ring
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_Poll> Rcv has completed, RingFreeSize 32766
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_Poll> Current rcv ring data size is: 5
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_ReadGetBytesNeeded> Removing 5 from the Rcv Ring
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_ReadGetBytesNeeded> Need to 32 more bytes
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM S_ReadAsync> Enter len = 32
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM S_ReadAsync> Posting a nti_rcv for 32 bytes
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM SSL_RcvSetup> SSL not init exit
[1AEC:0007-1C08] 11/11/2014 05:04:05.46 PM S_ReadAsync> Exit
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM SSL_Poll> Enter
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM SSL_Poll> Rcv has completed, adding 32 to Rcv Ring
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM SSL_Poll> Rcv has completed, RingFreeSize 32766
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM SSL_Poll> Current rcv ring data size is: 32
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM SSL_ReadGetBytesNeeded> Removing 32 from the Rcv Ring
[1AEC:000A-12E8] 11/11/2014 05:04:05 PM SMTP Server: Message 0005DE20 (MessageID: BAY175-W512D25CA614D4A2F4778B0D98E0@phx.gbl) received from bay004-omc4s17.hotmail.com (65.54.190.219) size 1673 bytes
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM CompleteNTIRequest> Enter
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM CompleteNTIRequest> Event = 4 Status = 0 Bytes = 6
[1AEC:0009-12E8] 11/11/2014 05:04:05.58 PM CompleteNTIRequest> Exit
[1AEC:000A-12E8] 11/11/2014 05:04:05.58 PM SSL_EncryptData> Asked to write 64 and wrote 101
[1AEC:000A-1C08] 11/11/2014 05:04:05 PM SMTP Server: bay004-omc4s17.hotmail.com (65.54.190.219) disconnected. 1 message[s] received

Subject: Yes, that is a sucessful TLS 1.0 handshake

Snipping the relevant portions of the log:

That same initial message begins with 0x16 (type = handshake message), then 0x0301 (TLS 1.0), then 0x0106 (length of the TLS record)
[1AEC:000A-1C08] 11/11/2014 05:04:04.27 PM SSL_RCV> 00000000: 16 03 01 01 06 ‘…’

Searching that log for “success” will find the end of the successful handshake, and tell you what version of SSL/TLS was used:

[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Protocol Version = TLS1.0 (0x301)
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> KeySize = 256 bits
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Current Cipher = 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> SSLErr = 0
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> TLS/SSL Handshake completed successfully
[1AEC:000A-1C08] 11/11/2014 05:04:04.32 PM SSL_Handshake> Exit Status = 0

Subject: Senders who won’t “talk” to this HF

I am having trouble receiving mail from these senders. I spoke to one of them, and they say they use “opportunistic” TLS, but it won’t connect nor fallback to clear text.

Here are two of these senders. Does anyone have others?

Symantec Messaging Gateway

Reflexion.net TLS connect failed: connection reset; connected to … STARTTLS proto=TLSv1; cipher=(NONE).

Subject: Yes, it works

Has anybody with Windows Domino & IHS tried this workaround setting to enforce “strict CBC padding” yet?
Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730) http://www-01.ibm.com/support/docview.wss?uid=swg21692502
SSLAttributeSet 471 1

Yes, it works! I implemented this on our web server and we’re back from F to A- now.

Subject: YES, TLS handshake now successful

@Gilbert: Hallelujah! Thank you very much for sharing your results! We will implement it asap!

Subject: Debug Output

Hello,

it is not much but I hope anyone can read something out of it:

[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Enter
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> After handshake state= 3 Status= -6996
[0318:0008-1374] 11/06/2014 17:33:47.61 SSL_Handshake> Exit Status = -6996
[0318:0008-1374] 11/06/2014 17:33:47.61 int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]

Subject: Try configuring those other servers to not use SSLv2 or SSLv2 backwards compatibility mode <>

Subject: SMTP inbound SMTP problems after Domino 9.0.1 FP2 IF1

Hi Mark

We have the same problem and also circumstances:
-same error logs
-same Domino Version: 9.0.1FP2 IF1 w64
-also a SHA1 certificate
-passed tests on CheckTLS vor in/outbound
-same configuration and “workaround” for Server Configuration Setting “SSL negotiated over TCP/IP port”: Before problem =enabled, now, after IF1 =disabled.

We opened also a PMR last week and for the moment it seems that untrusted (self signed) sender certificates are the problem and responsible for this behavior (see below for last response from IBM):

Begin of last PMR response
Hi Cristian,

It seems that the issue connecting via port 465 secured SSL only happens to users with self signed certificates. Tests wherein the client application has trusted certificate were successfully connected via secured SSL port-- sending and receiving email, proving that the hotfix is working fine.
Problems occur when the application (client) does not have all certs imported and trusted in the client certificate store.
So I would recommend checking which clients are affected by the issue and ensure that all the certs are imported and trusted.

If even after trying the above the issue persists I would recommend:

1. enable Debug_SSL_All=1 on the gateway Domino server
2. enable console logging on the same server
3. Attempt a TLS smtp connection to reproduce the issue.

This issue is specifically TLS over SMTP so we will need a new PMR as it will have to go to the Messaging Team (there is a different APAR for this issue from the one in 91643,211,848).
So if the issue persists, I would recommend opening a new PMR mentioning that this is SPR # MJTM9QMLDC - APAR LO82706 and attaching the console logs from the gateway to the PMR.
In this way we should save time in data collection etc…
I hope this helps, let me know if there are any questions.
Thank you,
End of last PMR response

Now a few thing are not really clear to me, which why we posed this questions to IBM…

1. Why should the fix working fine? I mean before of the fix (in my understanding the introduction of TLS 1.0 and the prevention to a “SSLv3 fallback”) untrusted/ self signed certificates worked very well! Is there a parameter we could set to accept untrusted/ self signed certificates?

2. In the configuration setting document for the gateway servers we set initially “SSL negotiated over TCP/IP port = enabled” . In my understanding this means that SSL is not mandatory and if a SSL communication will not be possible/desired from the sender or accepted by us there will be a fallback to a nonSSL communication. Why is this not the case when the sender uses a selfsigned certifcate? It would not be an ideal solution, because self signed certificates would fallback to a nonSL communication, but it would be far than a rejection.

3. IBM wrote “It seems that the issue connecting via port 465 secured SSL only happens to users with self signed certificates.”
   We don’t use the 465 port. We consulted our network team and they have confirmed that only port 25 is permitted by the firewall. In my opinion this is a valid configuration (see https://www-304.ibm.com/support/docview.wss?uid=swg21108352 https://www-304.ibm.com/support/docview.wss?uid=swg21108352 / "…Also, Port 465 is no longer registered as SMTP-SSL. It has been deprecated in favor of TLS/SSL over port 25. For more information see: Service Name and Transport Protocol Port Number Registry http://www.iana.org/assignments/port-numbers " . Is this fact relevant to IBMs explanation?

…will make a new post if some news are available and useful…

Subject: The IF removed all support for SSLv2

The IF removed all support for SSLv2, as described in the Notes/Domino wiki:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLv2

If setting DEBUG_SSL_ALL=1 on your Domino server results in a line like the following…

[30406:00011-233826048] 11/05/2014 06:36:49.27 PM SSL_RCV> 00000000: 80 65 01 03 01 ‘.e…’
[30406:00011-233826048] 11/05/2014 06:36:49.27 PM S_Read> Exit, read 5 bytes
[30406:00011-233826048] 11/05/2014 06:36:49.27 PM SSL_Handshake> After handshake state= 3 Status= -6996
[30406:00011-233826048] 11/05/2014 06:36:49.27 PM SSL_Handshake> Exit Status = -6996
[30406:00011-233826048] 11/05/2014 06:36:49.27 PM int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]

… then the incoming connection is attempting to use SSLv2 compatibility mode and being rejected.

A “good” incoming SSLv3 or TLS connection will look like this instead:

[10846:00012-930277120] 11/11/2014 12:34:26.18 PM SSL_RCV> 00000000: 16 03 01 00 53 ‘…S’
[10846:00012-930277120] 11/11/2014 12:34:26.18 PM S_Read> Exit, read 5 bytes
[10846:00012-930277120] 11/11/2014 12:34:26.18 PM S_Read> Enter len = 83
[10846:00012-930277120] 11/11/2014 12:34:26.18 PM S_Read> Switching Endpoint to sync
[10846:00012-930277120] 11/11/2014 12:34:26.18 PM S_Read> Posting a nti_rcv for 83 bytes

If this is what you are seeing, then I would recommend upgrading or reconfiguring the clients to stop using SSLv2. If you’re concerned about SSLv3, then you should be horrified by SSLv2.

Domino’s support for self-signed certificates has not changed as part of this IF. You may see some web browsers react slightly differently to “untrusted” server certificates over TLS 1.0 than over SSLv3, but that will vary from client to client.

Subject: Re. See this - by Darren Duke

So, the current “solution” is to disable the ciphers that are supposed to be the more secure? Googling around about ciphers gives info that says it’s the RC4 ciphers that should be disabled (in general, not related to the current TLS Poodle thing):

Killing RC4: The Long Goodbye http://blog.cloudflare.com/killing-rc4-the-long-goodbye/

We recently http://blog.cloudflare.com/killing-rc4 removed support for RC4 for browsers using TLS 1.1+. Now we are removing RC4 as the preferred cipher. Servers behind CloudFlare will prefer AES-based cipher suites…

Recommendations for TLS/SSL Cipher Hardening | Acunetix http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

Furthermore, it is also crucial to disable weak ciphers. Weak ciphers such as DES and RC4 should be disabled. Using current technology, DES can be broken in a few hours while RC4 has been found to be weaker than was previously thought. While it may have been advised to use RC4 to mitigate BEAST attacks in the past, given the latest attacks on the RC4 cipher, Microsoft has issued an advisory http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx again its use.

My conclusion: ALL ciphers should be completely disabled to maximize security. </sarcasm off>

Subject: I was thinking the same as Cristian …

… at point 3.

I have a server using TLS/SSL over port 25 as stated on that document Cristian posted before. We are passing all checks on checktls.com, but we’re using a GeoTrust certificate, not a self-signed one.

I didn’t install the new HotFix yet, I would like to see more information about this. I don’t want users screaming on me!

Subject: Inbound Domino SMTP TLS/SSL handshake problem

Hi, Mark and Dave, we are having the same handshake problem, including the -6996 error. HTTPS is fine, the only problem we see is with ESMTP STARTTLS.

In our case, our own LPMS/xmail server couldn’t send any mail to the Domino server after applying the POODLE interim fix, until we disabled STARTTLS on the Domino side. The handshake is failing, and the xmail server can’t or won’t fall back to unencrypted, although it is configured to do so. Something in the Domino SMTP response to “STARTTLS” causes a failure so bad, that our xmail won’t recover and considers it a 417 Temporary delivery error.

I think Mark was on to something with the Symantec technote about SSLv2Hello.

I have access to both servers. What should I try?

Subject: Re. FWIW, nginx proxy will give you an “easy A”

And when nginx has an unpached security issue, you can put a different tranparent proxy in front of that. It’ll be transparent proxies all the way down.

The core functions of Domino should be engineered to be as secure as nginx (or whatever) for the services Domino provides. If you want a transparent proxy for administrative advantages or to provide functionality beyond the core functionality of Domino, fine, that’s cool. But it should not be a requirement to simply make Domino work safely performing the ordinary tasks it is designed to do.

Love the quote from Helen Keller.

Subject: Re. FWIW, nginx proxy will give you an “easy A”

“The core functions of Domino should be engineered to be as secure as nginx (or whatever) for the services Domino provides.”

Couldn’t agree more. Lotus Notes was doing encryption before most products out there were in diapers. If it was now like it was then, we would all be chuckling when these poodle vulnerabilities were announced.

Subject: Agreed. That said, I still prefer to use a reverse proxy for the time being.

I.e., until it becomes evident that Domino really has caught up.

Subject: The only thing that can be said is that which has been said

Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.
Helen Keller, The Open Door (Doubleday, 1957)