Securing your Domino Web Servers

05/12/2018
Author Avatar
Günther Imbrechts
Senior System Engineer, EASI

As many of you are aware, some vulnerabilities have been exposed in the SSL protocol in the past. Among others, TLS 1.0 is vulnerable to man-in-the-middle attacks and the SSLV3 was the basis for the POODLE attack. Most websites are now secured against these weaknesses, but did you also secure your Domino and/or Traveler Server?

If you've read the intro and you've clicked the link then we have some work to do on your Domino environment.
First of all, applying these modifications are only necessary on Domino Servers running SSL-secured websites. Although I don't advice you to keep using an unsecured HTTP website, these patches do not apply on them.

3 modifications

To secure your server we have three main modifications to deal with: Disable support for TLS1.0, disable support for SSLV3 and finally disable support for unsecure cipher suites.

Disabling TLS1.0

You need IBM Domino 9.0.1 FP3 IF2 or higher before you can disable this setting

Once the system requirements are okay, you can configure this configuration parameter in your configuration document or notes.ini: SSL_DISABLE_TLS_10=1

Disabling SSLV3

You need IBM Domino 9.0.1 FP2 IF3 or higher before you can continue.

After applying the correct fixpack and interim fix, please configure the following parameter in your notes.ini or configuration document: DISABLE_SSLV3=1

Disabling unsecure cipher suites

You need IBM Domino 9.0.1 FP4 IF2 or higher before you can go on.

In this article you can check which cipher suite you want to keep. 

One example

SSLCipherSpec=C030C02F009F009E

Put this setting in your notes.ini and you will only use these ciphers:

1. ECDHE_RSA_WITH_AES_256_GCM_SHA384 (C030)

2. DHE_RSA_WITH_AES_256_GCM_SHA384 (009F)

3. ECDHE_RSA_WITH_AES_128_GCM_SHA256 (C02F)

4. DHE_RSA_WITH_AES_128_GCM_SHA256 (009E)

As you can see, each cipher is defined by a hexadecimal code. This code is what you specify in the SSLCipherSpec parameter, without dashes or spaces.

If you disable cipher suites, you will disable access to your sites for elder devices and browsers, like Windows XP's Internet Explorer.

Please keep that in mind.

You can verify your security qualification on SSL Labs: https://www.ssllabs.com/ssltest/

Need help?

EASI proposes his customers to configure these settings. We offer this at a package price per Domino server of 1 hour if the system requirements are already met and 2 hours if Fix Packs or Interim Fixes are missing. Please contact your sales contact or yours sincerely on g.imbrechts@easi.net

Whitepaper: Reducing online vulnerabilities.

Current job openings

Get our top stories in your inbox every month

Follow us

   

Share this article