Last month, in December 2017 a new (well old, but new) vulnerability was discovered in TLS, the ROBOT attack (Return Of Bleichenbacher's Oracle Threat) and yes, your Domino servers are probably susceptible to it. To avoid re-posting everything from that article go read it them come back.

Your back? OK. So you need to disable any and all RSA encryption ciphers. So here goes (all tests were done on a 9.0.1 FP9 server).....


Before a custom SSLCipherSpec:


Image:How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers

If you look at the ciphers, sure enough there are RSA ciphers in there (TLS_RSA_xxxxxx) for both TLS 1.2 and TLS 1.0 respectively:


Image:How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers

Image:How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers

OK, Houston we have a problem. To rectify it use this SSLCipherSpec


C030009FC02F009EC028006BC0140039C0270067C013C0140039C013



Note, I added this via the Domino Console):



set config SSLCIPHERSPEC= C030009FC02F009EC028006BC0140039C0270067C013C0140039C013



Results of the SSL Test after restarting HTTP:


Image:How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers

And the errant ciphers are gone:


Image:How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers
Darren Duke   |   January 15 2018 01:51:20 PM   |    domino  domino security  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (3)

Gravatar Image
1 - Sean Cull       01/15/2018 3:09:03 PM

Thanks Darren - I picked this up last week and was wondering what IBM's response would be.

It is a particular shame when a fix is readily available using existing Domino functionality searching for +SSLCIPHERSPEC +ibm +domino +Bleichenbacher's gives no IBM technote results.

Gravatar Image
2 - Yancy Lent    https://sentworks.com    01/15/2018 6:12:02 PM

Hi Darren! Thanks for posting this. I was able to check and verify mine is OK.

PS: I bet you'd get to an A+ with ssllabs.com if you enabled HSTS. -Yancy

Gravatar Image
3 - Don       01/16/2018 3:22:41 PM

Thanks a lot for posting this!