As many of you are aware, some vulnerabilities have been exposed in the SSL protocol in the past. Among others, TLS 1.0 is vulnerable to man-in-the-middle attacks and the SSLV3 was the basis for the POODLE attack. Most websites are now secured against these weaknesses, but did you also secure your Domino and/or Traveler Server?
If you've read the intro and you've clicked the link then we have some work to do on your Domino environment.
First of all, applying these modifications are only necessary on Domino Servers running SSL-secured websites. Although I don't advice you to keep using an unsecured HTTP website, these patches do not apply on them.
To secure your server we have three main modifications to deal with: Disable support for TLS1.0, disable support for SSLV3 and finally disable support for unsecure cipher suites.
You need IBM Domino 9.0.1 FP3 IF2 or higher before you can disable this setting
Once the system requirements are okay, you can configure this configuration parameter in your configuration document or notes.ini: SSL_DISABLE_TLS_10=1
You need IBM Domino 9.0.1 FP2 IF3 or higher before you can continue.
After applying the correct fixpack and interim fix, please configure the following parameter in your notes.ini or configuration document: DISABLE_SSLV3=1
Disabling unsecure cipher suites
You need IBM Domino 9.0.1 FP4 IF2 or higher before you can go on.
In this article you can check which cipher suite you want to keep.
Put this setting in your notes.ini and you will only use these ciphers:
1. ECDHE_RSA_WITH_AES_256_GCM_SHA384 (C030)
2. DHE_RSA_WITH_AES_256_GCM_SHA384 (009F)
3. ECDHE_RSA_WITH_AES_128_GCM_SHA256 (C02F)
4. DHE_RSA_WITH_AES_128_GCM_SHA256 (009E)
As you can see, each cipher is defined by a hexadecimal code. This code is what you specify in the SSLCipherSpec parameter, without dashes or spaces.
If you disable cipher suites, you will disable access to your sites for elder devices and browsers, like Windows XP's Internet Explorer.
Please keep that in mind.
You can verify your security qualification on SSL Labs: https://www.ssllabs.com/ssltest/
EASI proposes his customers to configure these settings. We offer this at a package price per Domino server of 1 hour if the system requirements are already met and 2 hours if Fix Packs or Interim Fixes are missing. Please contact your sales contact or yours sincerely on firstname.lastname@example.org