hcl-bot
1
Is it possible at this point to enable TLS (even 1.0) without also installing IHS? The article at http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0 seems to suggest that all that is necessary is to install the fix pack then bring the server back up. Yet accessing the site with Firefox (what prompted) still is not possible, as it shows the server is only negotiating SSL 3.0.
(For the record, I’m not an admin, just a developer at a very small company, but I’ve been tasked with trying to find a solution).
hcl-bot
2
Subject: Yes it is
Disclaimer: - I’m no security expert but by installing Domino 9.0.1 FP2 IF1 you are enabling TLS v1.0 (and disabling SSL3 - kind of). See Darren Duke’s Blog http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/the-domino-fixes-for-poodle-and-tls-you-may-not-be-done-yet.htm for some great information. also see this thread http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?action=openDocument&documentId=E614F339E975A7A485257D860064343A
The only way to totally disable SSL3 in Domino 9.0.x is to use IHS - but IHS is now vulnerable to the POODLE TLS attack. IBM are yet to respond.
I would suggest using Chrome to test. FF may still throw an error depending on the certificates you are using.
hcl-bot
3
Subject: Disabling SSL v3 on Domino
A notes.ini setting is available to disable SSL v3. It is: DEBUG_UNSUPPORTED_DISABLE_SSLV3=17
This setting takes effect with a restart of any server tasks that are using SSL, such as HTTP.
If you use an IHS server in front of Domino, you can use TLS 1.2. The Domino server at this time only uses TLS 1.0.