Andrew Pollack's Blog
Technology, Family, Entertainment, Politics, and Random Noise| Professional Services | Second Signal | Presentations | Andrew's Blog | Support |
IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEM
By Andrew Pollack on 09/17/2014 at 11:10 AM EDTI haven't blogged about anything, much less an IBM Domino issue in quite some time, but as Mooney pointed out today, this one is moving quickly toward being critical. Read the article, then call your IBM sales rep and start demanding they update to include SHA-2 SSL support immediately.
The only people who can get this done are big IBM Domino customers. Since this doesn't have a direct net positive effect on EPS (Earnings Per Share) for 2016, nothing is going to get done on it as long as they keep having the excuse that "our customers aren't telling us they need this".
Start telling them. Loudly. Repeatedly. If you're a large enough customer that you negotiate licensing, make it a condition of license renewal.
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:37 AM EDT
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:43 AM EDT
accord to TFA, it's not really an issue for TLS.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:50 AM EDT
I'm assuming TFA doesn't mean Teach for America, beyond that, I'm not sure.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:55 AM EDT
It's an old slashdot expression referring to "The F(riendly) Article"
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 12:13 PM EDT
Ah. I read that article last week and did not remember that point.
That being said, we do need Domino's WHOLE TLS/SSL suite to be current, both
SHA-2 and TLS 1.2.
That being said, we do need Domino's WHOLE TLS/SSL suite to be current, both
SHA-2 and TLS 1.2.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Stephen Savard on 09/17/2014 at 02:07 PM EDT
I started with the ol' standby... I opened a support incident with Lotus. Let's
see what they say.
see what they say.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Fredrik Malmborg on 09/17/2014 at 03:24 PM EDT
Yes if they are serious about XPages and continued Domino development they
should fix it yesterday.
should fix it yesterday.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 05:21 PM EDT
So many other discussions about this, over time. IBM really needs to respond.
A sampling:
http://planetlotus.org/c27d79
http://planetlotus.org/c28ea9
http://planetlotus.org/c2841d
http://planetlotus.org/c2af15
http://planetlotus.org/c39b14
http://planetlotus.org/c2af24
http://www.ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenD
ocument
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D
92075FC85257D3B006FABB8
A sampling:
http://planetlotus.org/c27d79
http://planetlotus.org/c28ea9
http://planetlotus.org/c2841d
http://planetlotus.org/c2af15
http://planetlotus.org/c39b14
http://planetlotus.org/c2af24
http://www.ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenD
ocument
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D
92075FC85257D3B006FABB8
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/18/2014 at 12:00 AM EDT
You can delete that if you want... just seeing if it would display:
http://www.wiseman.la/web/cpwBlog.nsf/dx/Icebergsmall.jpg/$file/Icebergsmall.jpg
http://www.wiseman.la/web/cpwBlog.nsf/dx/Icebergsmall.jpg/$file/Icebergsmall.jpg
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy sean cull on 09/18/2014 at 03:12 AM EDT
Craig, did you think IBM had inserted code in Domino to stop any negative
sentiment being displayed :-)
On a more serious note IMHO this decision by IBM totally undermines ALL of the
good work that has gone into making Domino / XPages a viable application server
for 80% of customers.
As a die hard supporter of XPages this is making even me question their
commitment to XPages - I am also wondering about their commitment to OpenNTF -
http://www.intec.co.uk/end-of-an-era-for-openntf/
sentiment being displayed :-)
On a more serious note IMHO this decision by IBM totally undermines ALL of the
good work that has gone into making Domino / XPages a viable application server
for 80% of customers.
As a die hard supporter of XPages this is making even me question their
commitment to XPages - I am also wondering about their commitment to OpenNTF -
http://www.intec.co.uk/end-of-an-era-for-openntf/
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Lars Berntrop-Bos on 09/18/2014 at 03:36 AM EDT
I also make it a point to bring it up in Q&A sessions. Like in the recent one
about the Domino roadmap, published here:
http://www.youtube.com/watch?v=ACAIcesdeRA
It's discussed starting 1:04:50
I personally think the response is still a bit to vague, one person mentioned
this "potentially being an issue down the line". I think there is nothing
potential about it.
I propose to keep at it, asking questions like: Given the move to more web
based apps, we need SHA-2 and TLS support to be able to serve secure web apps.
about the Domino roadmap, published here:
http://www.youtube.com/watch?v=ACAIcesdeRA
It's discussed starting 1:04:50
I personally think the response is still a bit to vague, one person mentioned
this "potentially being an issue down the line". I think there is nothing
potential about it.
I propose to keep at it, asking questions like: Given the move to more web
based apps, we need SHA-2 and TLS support to be able to serve secure web apps.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike McP on 09/19/2014 at 01:03 PM EDT
IBM simply does not care what customers want.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Vitor Pereira on 09/21/2014 at 04:51 PM EDT
"The only people who can get this done are big IBM Domino customers"
Unfortunately the big customers I know of do not implement SSL in Domino, they
usually have reverse proxys ( WebSeal or others) in front of their Domino
servers. They don't care if Domino supports it or not.
Unfortunately the big customers I know of do not implement SSL in Domino, they
usually have reverse proxys ( WebSeal or others) in front of their Domino
servers. They don't care if Domino supports it or not.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike Wissinger on 09/22/2014 at 09:27 AM EDT
Ah, but they probably do use TLS between Domino and their anti-spam service, or
SSL for LDAP to their Sametime server. They may even need to consume a web
service from a remote provider over HTTPS. A reverse web proxy does nothing to
help solve any of those problems, all of which require a valid certificate in
the .kyr.
SSL for LDAP to their Sametime server. They may even need to consume a web
service from a remote provider over HTTPS. A reverse web proxy does nothing to
help solve any of those problems, all of which require a valid certificate in
the .kyr.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:43 AM EDT
Here's what I was trying to work out, and the TFA comment didn't really help:
http://tools.ietf.org/html/rfc5246#page-5
"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."
so, it seems that TLS 1.2 implies/requires SHA256 (or higher)
http://tools.ietf.org/html/rfc5246#page-5
"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."
so, it seems that TLS 1.2 implies/requires SHA256 (or higher)
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:45 AM EDT
Which means that just by keeping Domino's security stack reasonably close to
modern, this SHA1 debacle WOULD NEVER HAVE COME UP.
Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to
modern" loosely.
modern, this SHA1 debacle WOULD NEVER HAVE COME UP.
Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to
modern" loosely.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Don Mottolo on 09/23/2014 at 11:01 AM EDT
I contacted a product manager today and he says that they are well aware of the
problem and will be responding soon. I stressed that our community needs to
hear this as soon as possible.
problem and will be responding soon. I stressed that our community needs to
hear this as soon as possible.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 11:03 AM EDT
Thank you Don!
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Bill Malchisky on 09/24/2014 at 01:41 AM EDT
IBM was asked about this at both MWLUG and ICON UK. Their product management
team is well aware of the matter.
IMHO, IBM needs to make a public statement of intent to fix with a time-line or
plan at this point. As they are silent, the issue is snowballing, which is
unfortunate on many levels, ultimately creating concern for their customers and
partners. Sans communication, the issue will continue to grow in a negative
manner for them.
To this point, I am working with IBM internally on this matter and documented
quite thoroughly the many blog posts on this matter. Thanks to Craig, Andrew,
Sean, Steve Pitcher, Darren, Ray, and Detlev for articulating the point with
zeal.
team is well aware of the matter.
IMHO, IBM needs to make a public statement of intent to fix with a time-line or
plan at this point. As they are silent, the issue is snowballing, which is
unfortunate on many levels, ultimately creating concern for their customers and
partners. Sans communication, the issue will continue to grow in a negative
manner for them.
To this point, I am working with IBM internally on this matter and documented
quite thoroughly the many blog posts on this matter. Thanks to Craig, Andrew,
Sean, Steve Pitcher, Darren, Ray, and Detlev for articulating the point with
zeal.
Other Recent Stories...
- 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ......
- 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ......
- 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ......
- 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server
- 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned
- 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!
- 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.
- 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?
- 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.
- 02/15/2018Andrew’s Proposed Gun Laws
support also implies TLS 1.2 support.
Because we really need both, across all services (HTTP/SMTP/LDAP, etc) AND
across ALL platforms.