Please update Domino to fully support TLS (SSL v3.1) 
Use this IdeaSpace to post ideas about Domino Server.

: 74
: 74
: 0
: Domino Server / Web application server
: ssl tls 3.1
: Craig Wiseman24988 10 Feb 2011
: / Email
Domino has always had strong standards support for Interweb protocols, but that seems to be slipping a bit. At present,  Domino http & smtp do not fully support TLS. For competitive reasons and to keep the product progressing, it needs to.
"Just to clarify, the STARTTLS command in Domino SMTP actually negotiates an SSLv3.0 connection, not a SSLv3.1 connection, and TLS (aka SSLv3.1) support for Domino is not currently committed to any particular feature release."

1) David Hablewitz15116 (25 Feb 2011)
Ooh, good catch, Craig. I hadn't noticed, but this is definitely important and should be kept up to the latest standard.
2) Lars Berntrop-Bos199 (05 Apr 2011)
Duplicate of { Link }
3) Craig Wiseman24988 (05 Apr 2011)
@2 (Lars)... Indeed, welp, at least we can enjoy being ignored together. ;-)
4) Craig Wiseman24988 (05 Apr 2011)
Plus, if they haven't gotten around to it in 2 years, I think they need a reminder!
5) Richard Moy16 (21 Sep 2011)
The XWorks server will not get anywhere with this fix. The security that Domino is known for is now comprised.
6) Baiju Thomas34 (21 Sep 2011)
TLS Support is very important. Many of the US government organizations now require TLS. IBM, please take it as a top priority. It is very very important to keep your current customers..
7) Lars Berntrop-Bos199 (22 Sep 2011)
SSL/TLS1.0 have been made insecure, IBM NEEDS TO UPDATE (emphasis intended)
8) Lars Berntrop-Bos199 (22 Sep 2011)
Documenting the NEED:
Link to slashdot documenting the insecurity of SSL up to and including TLS 1.0 { Link }
9) Darren Duke3521 (22 Sep 2011)
Yep. One if IBM usp's for Domino is the security inherent in the product. Shame that is security is from 1994. This simply needs to be addressed and causes issues with other Lotus products like Lotus Protector.
10) Sean Burgess6178 (27 Sep 2011)
It's even worse than only supporting TLS 3.0. TLS is only supported for SMTP connections and not HTTP connections. Therefore, any FDCC machine using IE cannont connect to a Domno site using HTTPS because TLS is the only HTTPS connection allowed.
11) Patrick McAllister23 (29 Nov 2011)
Has there been any word from IBM on this? I understood there was an enhancement request out on this, but has there been any progress? Or has IBM decided to leave the Fed Govt space as far as Domino is concerned?
12) David Hablewitz15116 (29 Nov 2011)
Great question. For the answer, you should call IBM Technical Support at 1-800-426-7378. If You haven't already, you need to have an SPR created or if one exists as you implied, then get your organization added to the request. That is the only way. This forum is just a "feel good" website that some IBM engineers occasionally glance at.
13) Prakash Punj10 (25 Jan 2012)
I keep pressing this to IBM from last 2 years. It's required for Federal govt. All this time I was getting the answer that no one is asking for it which I find hard to believe.

But there is a good news. I got the word from Product Manager in last LotusPhere that it's coming in 8.5.4 sometime Q32012.

14) Patrick McAllister23 (21 Mar 2012)
Do you have any more information regarding this (Q3 8.5.4 support)? I could not find it in the 8.5.4 documentation. I really hope they move forward with this, this has been a pain point for some time that is now becoming critical.
15) Craig Wiseman24988 (16 May 2013)
If you really want FULL/REAL TLS over SMTP support in Domino, call in to IBM support and get them to create a PMR and add it to "APAR LO67453 SPR #YDEN8RNH22 for Enhancement ".
16) Craig Wiseman24988 (16 May 2013)
@ Prakash and @ Patrick. IBM's has kludged HTTP support for TLS by providing an option to add the IBM HTTP server (see here: { Link }

HOWEVER, that does not add full TLS support for other protocols (SMTP, LDAP, SMTP, POP3, SMTP, IMAP, SMTP, etc).
17) David Hablewitz15116 (15 Jul 2013)
I called in and got added to the SPR.
18) Ninke Westra2116 (23 Sep 2014)
Don't forget proper support for SHA2+ (since SHA1 is going the way of the dinosaur)
19) Craig Wiseman24988 (23 Sep 2014)
Help me understand if I'm reading this correctly:

{ Link }

"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."

so, it seems that TLS 1.2 implies/requires SHA256 (or higher)

Which means that just by keeping Domino's security stack reasonably close to modern, this SHA1 debacle WOULD NEVER HAVE COME UP.

Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to modern" loosely.
20) Uwe Brahm604 (06 Oct 2014)
This is a good article that shows the complete complexity involved:

Steve Pitcher: In the Wheelhouse: IBM, We Have an SSL Problem

{ Link }

If you have built in security in Domino then IBM can't stop updating the algorithms within Domino. Even for cloud based offerings - this is essential. We all need a fix for this - better sooner than later!


Welcome to IdeaJam

You can run IdeaJam™ in your company. It's easy to install, setup and customize. Your employees, partners and customers will immediately see results.

Use IdeaJam to:

  • Collect ideas from employees
  • Solicit feedback and suggestions from employees and customers
  • Run innovation contests and competitions
  • Validate concepts
  • Use the power of "crowd-sourcing" to rank ideas and allow the best ideas to rise to the top

IdeaJam™ works with:

  • IBM Connections
  • IBM Lotus Quickr
  • Blogs and Wikis
  • Websphere Portal
  • Microsoft Sharepoint
  • and other applications.

IdeaJam has an extensive set of widgets and API's that allow you to extend and integrate IdeaJam™ with other applications.

Learn more about IdeaJam >>

Use more customization features in ND9 NotesMail
Option to make integrated Sametime Client Notes Location aware?

IdeaJam developed by

Elguji Software Logo