Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEM

By Andrew Pollack on 09/17/2014 at 11:10 AM EDT

I haven't blogged about anything, much less an IBM Domino issue in quite some time, but as Mooney pointed out today, this one is moving quickly toward being critical. Read the article, then call your IBM sales rep and start demanding they update to include SHA-2 SSL support immediately.

The only people who can get this done are big IBM Domino customers. Since this doesn't have a direct net positive effect on EPS (Earnings Per Share) for 2016, nothing is going to get done on it as long as they keep having the excuse that "our customers aren't telling us they need this".

Start telling them. Loudly. Repeatedly. If you're a large enough customer that you negotiate licensing, make it a condition of license renewal.

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html


There are  - loading -  comments....

re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:37 AM EDT
Agreed. I'm not sure if they are technically hinged... Do you know if SHA-2
support also implies TLS 1.2 support.

Because we really need both, across all services (HTTP/SMTP/LDAP, etc) AND
across ALL platforms.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:43 AM EDT
accord to TFA, it's not really an issue for TLS.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:50 AM EDT
I'm assuming TFA doesn't mean Teach for America, beyond that, I'm not sure.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:55 AM EDT
It's an old slashdot expression referring to "The F(riendly) Article"
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 12:13 PM EDT
Ah. I read that article last week and did not remember that point.

That being said, we do need Domino's WHOLE TLS/SSL suite to be current, both
SHA-2 and TLS 1.2.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Stephen Savard on 09/17/2014 at 02:07 PM EDT
I started with the ol' standby... I opened a support incident with Lotus. Let's
see what they say.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Fredrik Malmborg on 09/17/2014 at 03:24 PM EDT
Yes if they are serious about XPages and continued Domino development they
should fix it yesterday.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 05:21 PM EDT
So many other discussions about this, over time. IBM really needs to respond.
A sampling:
http://planetlotus.org/c27d79
http://planetlotus.org/c28ea9
http://planetlotus.org/c2841d
http://planetlotus.org/c2af15
http://planetlotus.org/c39b14
http://planetlotus.org/c2af24
http://www.ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenD
ocument
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D
92075FC85257D3B006FABB8
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/18/2014 at 12:00 AM EDT
You can delete that if you want... just seeing if it would display:

http://www.wiseman.la/web/cpwBlog.nsf/dx/Icebergsmall.jpg/$file/Icebergsmall.jpg
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy sean cull on 09/18/2014 at 03:12 AM EDT
Craig, did you think IBM had inserted code in Domino to stop any negative
sentiment being displayed :-)

On a more serious note IMHO this decision by IBM totally undermines ALL of the
good work that has gone into making Domino / XPages a viable application server
for 80% of customers.

As a die hard supporter of XPages this is making even me question their
commitment to XPages - I am also wondering about their commitment to OpenNTF -
http://www.intec.co.uk/end-of-an-era-for-openntf/
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Lars Berntrop-Bos on 09/18/2014 at 03:36 AM EDT
I also make it a point to bring it up in Q&A sessions. Like in the recent one
about the Domino roadmap, published here:
http://www.youtube.com/watch?v=ACAIcesdeRA
It's discussed starting 1:04:50
I personally think the response is still a bit to vague, one person mentioned
this "potentially being an issue down the line". I think there is nothing
potential about it.
I propose to keep at it, asking questions like: Given the move to more web
based apps, we need SHA-2 and TLS support to be able to serve secure web apps.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike McP on 09/19/2014 at 01:03 PM EDT
IBM simply does not care what customers want.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Vitor Pereira on 09/21/2014 at 04:51 PM EDT
"The only people who can get this done are big IBM Domino customers"

Unfortunately the big customers I know of do not implement SSL in Domino, they
usually have reverse proxys ( WebSeal or others) in front of their Domino
servers. They don't care if Domino supports it or not.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike Wissinger on 09/22/2014 at 09:27 AM EDT
Ah, but they probably do use TLS between Domino and their anti-spam service, or
SSL for LDAP to their Sametime server. They may even need to consume a web
service from a remote provider over HTTPS. A reverse web proxy does nothing to
help solve any of those problems, all of which require a valid certificate in
the .kyr.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:43 AM EDT
Here's what I was trying to work out, and the TFA comment didn't really help:

http://tools.ietf.org/html/rfc5246#page-5

"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."

so, it seems that TLS 1.2 implies/requires SHA256 (or higher)
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:45 AM EDT
Which means that just by keeping Domino's security stack reasonably close to
modern, this SHA1 debacle WOULD NEVER HAVE COME UP.

Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to
modern" loosely.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Don Mottolo on 09/23/2014 at 11:01 AM EDT
I contacted a product manager today and he says that they are well aware of the
problem and will be responding soon. I stressed that our community needs to
hear this as soon as possible.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 11:03 AM EDT
Thank you Don!
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Bill Malchisky on 09/24/2014 at 01:41 AM EDT
IBM was asked about this at both MWLUG and ICON UK. Their product management
team is well aware of the matter.

IMHO, IBM needs to make a public statement of intent to fix with a time-line or
plan at this point. As they are silent, the issue is snowballing, which is
unfortunate on many levels, ultimately creating concern for their customers and
partners. Sans communication, the issue will continue to grow in a negative
manner for them.

To this point, I am working with IBM internally on this matter and documented
quite thoroughly the many blog posts on this matter. Thanks to Craig, Andrew,
Sean, Steve Pitcher, Darren, Ray, and Detlev for articulating the point with
zeal.


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.