April 6 2015 Monday
TLS 1.2 in Domino and the settings I use
Unless you have been living under a rock somewhere you no doubt know that IBM finally gave use TLS 1.2 for IBM Domino servers. This means that Domino servers can now use SSLv3, TLS 1.0 and TLS 1.2. But it's IT, so just because you can does not mean you should......for example I would suggest most servers (I'll get the outliers further down the page) would probably want SSLv3 disabled. If you have been under a rock, then you need Domino 9.0.1 FP3 IF2 to get this new goodness.
Now this fix is only for Domino 9.0.1 FP3, so now you have a further reason to upgrade to R9 (SHA2 wasn't enough?) and is provided as an IF from fix central. There are other goodies in this release too like additional ciphers and forward secrecy (aka FS). Forward secrecy? Yes...via Wikipedia:
However (there's always a however), IBM has chosen to not enable FS by default. This is due to IBM not knowing how crap your servers are, as FS is "resource intensive". If you have crap servers, like a Pentium II running your production environment then FS is not for you (neither is IT for that matter). If you running a pretty recent CPU and plenty of RAM, then you should be OK. And you really want FS.....no really, you do.
So you've decided that your server hardware is up to the task, what do you do to get FS and the promise of Angels singing and the cries of despair from hackers now thwarted? Well you have use Notes.ini settings. See IBM are doing good stuff here....they are giving us new, very important features in fix packs and IF's....the cost of that is there are not yet any UI equivalents in the server and config docs yet. I'm good with that, good on yer IBM.
A few blog posts back, I mentioned the SSLCipherSpec notes.ini setting and it is this setting that once again gets to do all the work. Here's the thing though.....I would change the values in this setting based on the use of the Domino server. I'm not convinced there is "one setting to rule them all yet". I would suggest to you, dear reader, that a Traveler server needs different settings to a iNotes server which is different to a SMTP gateway server. Before that go read Daniel Nashed's excellently detailed post on all the new ciphers then come back here.....
Remember, SSLCipherSpec will be used despite what you have in the server or internet document and it is server wide.
iNotes with XP and IE support
Let's start with iNotes. Some organizations still need XP with IE support. Yes they do. Get over it. This is a conniption free zone with regards to XP. If you do need XP with IE then use TLS 1.0 with Triple DES. Why? Well XP with IE does not support AES, so that cipher is out, RC4 is now frowned upon so that cipher is out, leaving us with 3DES. Given the use of XP with IE support and FS on other platforms, I would suggest this cipher list for an iNotes server and you'll get a A- on SSL Labs:
(Firefox and Chrome on XP do not have the same issues as IE)
iNotes without XP and IE support
Drop the 3DES cipher (0A), but SSLv3 still disabled, and get a A- on SSL Labs:
(will also work with XP running Firefox or Chrome)
Traveler
Same as iNotes with no XP support:
SMTP Domino Gateway
This is where it gets tricky if you're using STARTTLS (you are using STARTTLS right?) or your iNotes server is also your SMTP gateway. I would love to be able to say kill off SSLv3 but that's only a decision you can make based on your findings of what breaks when others try to send you TLS messages, but I don't think there is one size fits all here. I would start with this and adjust as necessary (you may need to add RC4 ciphers back in):
or (with SSLv3)
or (with SSLv3 and RC4):
Domino LDAP for LDAPS Dir Sync
If you using any type of LDAP sync with cloud based services for things like Spam protection then this is difficult. You just need to try it and see.. For instance SpamHero (which I like a lot...) only uses SSLv2 (yes....T. W. O) last I checked. I did email them for clarification and they did say they are addressing this. I have not checked in a few weeks (Update July 29th 2015 - SpamHero now support TLS). So if this is the case, you cannot go above 9.0.1 FP2 for this server. Again, test. adjust, test again, repeat
-------------------------------------
You may be wondering about the "A-" on the SSL Labs test. Well, it's to do with older browser support for FS and IBM choosing to not (yet?) implement ECDHE ciphers. I hope at some they will reconsider this as this does seem to be the current trend in ciphers, and well, we don't want to be left a decade or more behind again, right? I wonder what the (now new) top ranked,, not fixed PMR is now?
So there you have it. TLS 1.2 support in Domino. Not quite as simple as you thought.
References :
TLS/SSL support history of web browser - Wikipedia
Domino TLS Cipher Configuration - IBM
Now this fix is only for Domino 9.0.1 FP3, so now you have a further reason to upgrade to R9 (SHA2 wasn't enough?) and is provided as an IF from fix central. There are other goodies in this release too like additional ciphers and forward secrecy (aka FS). Forward secrecy? Yes...via Wikipedia:
In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS and also key erasure) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
However (there's always a however), IBM has chosen to not enable FS by default. This is due to IBM not knowing how crap your servers are, as FS is "resource intensive". If you have crap servers, like a Pentium II running your production environment then FS is not for you (neither is IT for that matter). If you running a pretty recent CPU and plenty of RAM, then you should be OK. And you really want FS.....no really, you do.
So you've decided that your server hardware is up to the task, what do you do to get FS and the promise of Angels singing and the cries of despair from hackers now thwarted? Well you have use Notes.ini settings. See IBM are doing good stuff here....they are giving us new, very important features in fix packs and IF's....the cost of that is there are not yet any UI equivalents in the server and config docs yet. I'm good with that, good on yer IBM.
A few blog posts back, I mentioned the SSLCipherSpec notes.ini setting and it is this setting that once again gets to do all the work. Here's the thing though.....I would change the values in this setting based on the use of the Domino server. I'm not convinced there is "one setting to rule them all yet". I would suggest to you, dear reader, that a Traveler server needs different settings to a iNotes server which is different to a SMTP gateway server. Before that go read Daniel Nashed's excellently detailed post on all the new ciphers then come back here.....
Remember, SSLCipherSpec will be used despite what you have in the server or internet document and it is server wide.
iNotes with XP and IE support
Let's start with iNotes. Some organizations still need XP with IE support. Yes they do. Get over it. This is a conniption free zone with regards to XP. If you do need XP with IE then use TLS 1.0 with Triple DES. Why? Well XP with IE does not support AES, so that cipher is out, RC4 is now frowned upon so that cipher is out, leaving us with 3DES. Given the use of XP with IE support and FS on other platforms, I would suggest this cipher list for an iNotes server and you'll get a A- on SSL Labs:
SSLCipherSpec=9D9C3D3C352F0A3339676B9E9F
DISABLE_SSLV3=1
(Firefox and Chrome on XP do not have the same issues as IE)
iNotes without XP and IE support
Drop the 3DES cipher (0A), but SSLv3 still disabled, and get a A- on SSL Labs:
SSLCipherSpec=9D9C3D3C352F3339676B9E9F
DISABLE_SSLV3=1
(will also work with XP running Firefox or Chrome)
Traveler
Same as iNotes with no XP support:
SSLCipherSpec=9D9C3D3C352F3339676B9E9F
DISABLE_SSLV3=1
SMTP Domino Gateway
This is where it gets tricky if you're using STARTTLS (you are using STARTTLS right?) or your iNotes server is also your SMTP gateway. I would love to be able to say kill off SSLv3 but that's only a decision you can make based on your findings of what breaks when others try to send you TLS messages, but I don't think there is one size fits all here. I would start with this and adjust as necessary (you may need to add RC4 ciphers back in):
SSLCipherSpec=9D9C3D3C352F0A3339676B9E9F
DISABLE_SSLV3=1
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
RouterFallbackNonTLS=1
or (with SSLv3)
SSLCipherSpec=9D9C3D3C352F0A3339676B9E9F
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
RouterFallbackNonTLS=1
or (with SSLv3 and RC4):
SSLCipherSpec=9D9C3D3C352F04050A3339676B9E9F
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
RouterFallbackNonTLS=1
Domino LDAP for LDAPS Dir Sync
If you using any type of LDAP sync with cloud based services for things like Spam protection then this is difficult. You just need to try it and see.. For instance SpamHero (which I like a lot...) only uses SSLv2 (yes....T. W. O) last I checked. I did email them for clarification and they did say they are addressing this. I have not checked in a few weeks (Update July 29th 2015 - SpamHero now support TLS). So if this is the case, you cannot go above 9.0.1 FP2 for this server. Again, test. adjust, test again, repeat
-------------------------------------
You may be wondering about the "A-" on the SSL Labs test. Well, it's to do with older browser support for FS and IBM choosing to not (yet?) implement ECDHE ciphers. I hope at some they will reconsider this as this does seem to be the current trend in ciphers, and well, we don't want to be left a decade or more behind again, right? I wonder what the (now new) top ranked,, not fixed PMR is now?
So there you have it. TLS 1.2 support in Domino. Not quite as simple as you thought.
References :
TLS/SSL support history of web browser - Wikipedia
Domino TLS Cipher Configuration - IBM
Darren Duke
|
April 6 2015 05:50:28 AM
|
domino ssl security tls
|
