My Domino servers have the security finding:
“Return Of Bleichenbacher’s Oracle Threat (ROBOT) Information Disclosure”
How am I supposed to fix this? Does IBM have a published fix? If not,
does anyone know when a fix will be forthcoming?
Thanks.
Subject: Workaround…
By only enabling ECDHE & DHE cyphers this appears to have worked around the issue and I no longer get the ROBOT errors.
FYI this is the notes.ini I used: SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C013
Subject: ROBOT to be addressed in FP10
Daniel Nashed in his blog mentions that ROBOT is to be addressed in Feature Pack 10: Daniel Nashed's Blog http://blog.nashcom.de/nashcomblog.nsf/dx/robot-ssltls-attack.htm
Mr. Nashed also makes the point that most browsers would try to use more secure ciphers when they are available, so the actual risk of less secure ciphers may be overstated.
Subject: Me too…
We have just upgraded customer servers to the latest 9.0.1FP9 and are also getting these alerts when testing the SSL config via Qualys Labs.
Anyone from IBM care to advise how to mitigate/fix this?
Subject: Work around works for me
Thanks. This work around worked. My SSLCipherSpec looks like this: SSLCipherSpec=C030009FC028006BC0140039
I only enabled the 256 bit ciphers.
Subject: Here is the list I used
SSLCipherSpec=C030009FC02F009EC028006BC0270067C014
Per SSL Labs that allows support for IE 8-10.
Howard