Ooh, good catch, Craig. I hadn't noticed, but this is definitely important and should be kept up to the latest standard.

Duplicate of { Link }

@2 (Lars)... Indeed, welp, at least we can enjoy being ignored together. ;-)

Plus, if they haven't gotten around to it in 2 years, I think they need a reminder!

The XWorks server will not get anywhere with this fix. The security that Domino is known for is now comprised.

TLS Support is very important. Many of the US government organizations now require TLS. IBM, please take it as a top priority. It is very very important to keep your current customers..

SSL/TLS1.0 have been made insecure, IBM NEEDS TO UPDATE (emphasis intended)

Documenting the NEED:
Link to slashdot documenting the insecurity of SSL up to and including TLS 1.0 { Link }

Yep. One if IBM usp's for Domino is the security inherent in the product. Shame that is security is from 1994. This simply needs to be addressed and causes issues with other Lotus products like Lotus Protector.

It's even worse than only supporting TLS 3.0. TLS is only supported for SMTP connections and not HTTP connections. Therefore, any FDCC machine using IE cannont connect to a Domno site using HTTPS because TLS is the only HTTPS connection allowed.

Has there been any word from IBM on this? I understood there was an enhancement request out on this, but has there been any progress? Or has IBM decided to leave the Fed Govt space as far as Domino is concerned?

Great question. For the answer, you should call IBM Technical Support at 1-800-426-7378. If You haven't already, you need to have an SPR created or if one exists as you implied, then get your organization added to the request. That is the only way. This forum is just a "feel good" website that some IBM engineers occasionally glance at.

I keep pressing this to IBM from last 2 years. It's required for Federal govt. All this time I was getting the answer that no one is asking for it which I find hard to believe.

But there is a good news. I got the word from Product Manager in last LotusPhere that it's coming in 8.5.4 sometime Q32012.

Prakash

Do you have any more information regarding this (Q3 8.5.4 support)? I could not find it in the 8.5.4 documentation. I really hope they move forward with this, this has been a pain point for some time that is now becoming critical.

If you really want FULL/REAL TLS over SMTP support in Domino, call in to IBM support and get them to create a PMR and add it to "APAR LO67453 SPR #YDEN8RNH22 for Enhancement ".

@ Prakash and @ Patrick. IBM's has kludged HTTP support for TLS by providing an option to add the IBM HTTP server (see here: { Link }

HOWEVER, that does not add full TLS support for other protocols (SMTP, LDAP, SMTP, POP3, SMTP, IMAP, SMTP, etc).

I called in and got added to the SPR.

Don't forget proper support for SHA2+ (since SHA1 is going the way of the dinosaur)

Help me understand if I'm reading this correctly:

{ Link }

"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."

so, it seems that TLS 1.2 implies/requires SHA256 (or higher)

Which means that just by keeping Domino's security stack reasonably close to modern, this SHA1 debacle WOULD NEVER HAVE COME UP.

Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to modern" loosely.

This is a good article that shows the complete complexity involved:

Steve Pitcher: In the Wheelhouse: IBM, We Have an SSL Problem

{ Link }

If you have built in security in Domino then IBM can't stop updating the algorithms within Domino. Even for cloud based offerings - this is essential. We all need a fix for this - better sooner than later!