TLS 1.2 for Domino 9.0.1 Implementation

Mindwatering Incorporated

Author: Tripp W Black

Created: 07/06/2015 at 12:49 PM

 

Category:
Domino Upgrades / Installations
Software (Re)Configuration

Prerequisites:
Domino 9.0.1 FP3 IF2 (or higher).
FP2 completes the TLS 1.2 support. All configuration in 9.0.1; however, is done via notes.ini parameters.

Installation:
Note: If you are running a previous IF or hotfix, you must run its install again to remove it.
- Upgrade the install of IBM Domino to Domino 9.0.1 "gold" if not already running 9.0.1.
- Install FP4 for your Linux distribution or other 64bit OS.
(Previous to July 1st, 2015, you had to install FP3 and the latest IF pack (e.g. IF3). Remember to keep latest IF install on the server so you can re-run it to remove IF3 for another IF / hotfix install. FP3 IF3 finally includes support for Perfect Forward Secrecy (PFS) and Diffie-Hellman (DHE) ciphers for SSL and TLS! IF3 also upgrades the JVM, as well. )


START TLS Setup? If not...
1. Verify SMTP mail incoming/outgoing ports (both 25) enabled in server document for SMTP Inbound.
Ports --> Internet Ports --> Mail tab --> Mail SMTP Inbound --> change to Enabled
and
Ports --> Internet Ports --> Mail tab --> Mail SMTP Outbound --> change to Negotiated SSL

2. In configuration document for server, checked the advanced STMP/Router settings - STARTTLS setting.
Router/SMTP --> Advanced --> Commands and Extensions -->
Switch SSL negotiated over TCP/IP port --> Verify Enabled

3. Checked the Internet Site SMTP docs that SSL allowed both name/password and anonymous. Checked that keyfile was specified correctly.
(keyfile is in data folder. tried both mykeyfile.kyr and local/notesdata/mykeyfile.kyr full path unsuccessfully)

4. Checked file permissions and verified that all users could at least read the files (kyr and sth).

For troubleshooting, use notes.ini:
SSL_TRACE_KEYFILEREAD=1


Notes.ini Settings:
If you do not specify SSLCipherSpec ciphers Domino defaults to the most secure ones. However, if you need to support legacy protocols (like MS XP), then you'll want to put in your own strings.

DISABLE_SSLV3=1
This disables SSLv3 use on the server. This is server wide.

SSL_DISABLE_TLS_10=1
This disables TLS_10 use on the server. This is server wide. Note that this broke iPhone iOS7 and iOS 8 IMAP authentication for Mindwatering iPhones w/o using the SSLCiphersSpec.


Specific setups using the notes.ini parameters/variables:

Simple method that removes SSLv3 and TLS 1.0 and uses the default ciphers in the default order.
DISABLE_SSLV3=1
SSL_DISABLE_TLS_10=1


Traveler / iNotes / Web sites w/no XP support and no SSLv3
SSLCipherSpec=9D9C3D3C352F3339676B9E9F
DISABLE_SSLV3=1


CIPHERS w/backwards compatible XP w/IE Support
(w/TLS 1.0 allowed and no SSLv3 using 3DES cipher (0A) added so that IE on XP can still connect. Will give you A-1 or B+ on SSL Labs site.)
SSLCipherSpec=9D9C3D3C352F0A3339676B9E9F
DISABLE_SSLV3=1


SMTP w/TSL and STARTTLS enabling failback to non TLS.
SSLCipherSpec=9D9C3D3C352F0A3339676B9E9F
DISABLE_SSLV3=1
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
RouterFallbackNonTLS=1

See following IBM Tech docs:
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SSLCipherSpec

previous page