Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEM

By Andrew Pollack on 09/17/2014 at 11:10 AM EDT

I haven't blogged about anything, much less an IBM Domino issue in quite some time, but as Mooney pointed out today, this one is moving quickly toward being critical. Read the article, then call your IBM sales rep and start demanding they update to include SHA-2 SSL support immediately.

The only people who can get this done are big IBM Domino customers. Since this doesn't have a direct net positive effect on EPS (Earnings Per Share) for 2016, nothing is going to get done on it as long as they keep having the excuse that "our customers aren't telling us they need this".

Start telling them. Loudly. Repeatedly. If you're a large enough customer that you negotiate licensing, make it a condition of license renewal.

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html


There are  - loading -  comments....

re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:37 AM EDT
Agreed. I'm not sure if they are technically hinged... Do you know if SHA-2
support also implies TLS 1.2 support.

Because we really need both, across all services (HTTP/SMTP/LDAP, etc) AND
across ALL platforms.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:43 AM EDT
accord to TFA, it's not really an issue for TLS.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 11:50 AM EDT
I'm assuming TFA doesn't mean Teach for America, beyond that, I'm not sure.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Andrew Pollack on 09/17/2014 at 11:55 AM EDT
It's an old slashdot expression referring to "The F(riendly) Article"
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 12:13 PM EDT
Ah. I read that article last week and did not remember that point.

That being said, we do need Domino's WHOLE TLS/SSL suite to be current, both
SHA-2 and TLS 1.2.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Stephen Savard on 09/17/2014 at 02:07 PM EDT
I started with the ol' standby... I opened a support incident with Lotus. Let's
see what they say.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Fredrik Malmborg on 09/17/2014 at 03:24 PM EDT
Yes if they are serious about XPages and continued Domino development they
should fix it yesterday.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/17/2014 at 05:21 PM EDT
So many other discussions about this, over time. IBM really needs to respond.
A sampling:
http://planetlotus.org/c27d79
http://planetlotus.org/c28ea9
http://planetlotus.org/c2841d
http://planetlotus.org/c2af15
http://planetlotus.org/c39b14
http://planetlotus.org/c2af24
http://www.ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenD
ocument
http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D
92075FC85257D3B006FABB8
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/18/2014 at 12:00 AM EDT
You can delete that if you want... just seeing if it would display:

http://www.wiseman.la/web/cpwBlog.nsf/dx/Icebergsmall.jpg/$file/Icebergsmall.jpg
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy sean cull on 09/18/2014 at 03:12 AM EDT
Craig, did you think IBM had inserted code in Domino to stop any negative
sentiment being displayed :-)

On a more serious note IMHO this decision by IBM totally undermines ALL of the
good work that has gone into making Domino / XPages a viable application server
for 80% of customers.

As a die hard supporter of XPages this is making even me question their
commitment to XPages - I am also wondering about their commitment to OpenNTF -
http://www.intec.co.uk/end-of-an-era-for-openntf/
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Lars Berntrop-Bos on 09/18/2014 at 03:36 AM EDT
I also make it a point to bring it up in Q&A sessions. Like in the recent one
about the Domino roadmap, published here:
http://www.youtube.com/watch?v=ACAIcesdeRA
It's discussed starting 1:04:50
I personally think the response is still a bit to vague, one person mentioned
this "potentially being an issue down the line". I think there is nothing
potential about it.
I propose to keep at it, asking questions like: Given the move to more web
based apps, we need SHA-2 and TLS support to be able to serve secure web apps.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike McP on 09/19/2014 at 01:03 PM EDT
IBM simply does not care what customers want.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Vitor Pereira on 09/21/2014 at 04:51 PM EDT
"The only people who can get this done are big IBM Domino customers"

Unfortunately the big customers I know of do not implement SSL in Domino, they
usually have reverse proxys ( WebSeal or others) in front of their Domino
servers. They don't care if Domino supports it or not.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Mike Wissinger on 09/22/2014 at 09:27 AM EDT
Ah, but they probably do use TLS between Domino and their anti-spam service, or
SSL for LDAP to their Sametime server. They may even need to consume a web
service from a remote provider over HTTPS. A reverse web proxy does nothing to
help solve any of those problems, all of which require a valid certificate in
the .kyr.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:43 AM EDT
Here's what I was trying to work out, and the TFA comment didn't really help:

http://tools.ietf.org/html/rfc5246#page-5

"The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256."

so, it seems that TLS 1.2 implies/requires SHA256 (or higher)
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 09:45 AM EDT
Which means that just by keeping Domino's security stack reasonably close to
modern, this SHA1 debacle WOULD NEVER HAVE COME UP.

Note: the TLS 1.2 RFC is from 2008, so I use the phrase "reasonably close to
modern" loosely.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Don Mottolo on 09/23/2014 at 11:01 AM EDT
I contacted a product manager today and he says that they are well aware of the
problem and will be responding soon. I stressed that our community needs to
hear this as soon as possible.
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Craig Wiseman on 09/23/2014 at 11:03 AM EDT
Thank you Don!
re: IBM Domino Servers STILL don't support SSL SHA-2 Certificates - and it is about to be a PROBLEMBy Bill Malchisky on 09/24/2014 at 01:41 AM EDT
IBM was asked about this at both MWLUG and ICON UK. Their product management
team is well aware of the matter.

IMHO, IBM needs to make a public statement of intent to fix with a time-line or
plan at this point. As they are silent, the issue is snowballing, which is
unfortunate on many levels, ultimately creating concern for their customers and
partners. Sans communication, the issue will continue to grow in a negative
manner for them.

To this point, I am working with IBM internally on this matter and documented
quite thoroughly the many blog posts on this matter. Thanks to Craig, Andrew,
Sean, Steve Pitcher, Darren, Ray, and Detlev for articulating the point with
zeal.


Other Recent Stories...

  1. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?We need to address some biases here. IBM has made a deal under which the Notes & Domino software and intellectual property is now being developed and maintained by HCL America. HCL America is part of the very large "HCL Technologies" company that has grown from its roots in India to become an 8 Billion Dollar company with a global presence in the IT Industry. You could be excused for initially believing, as many people do when they hear this, that "they've outsourced the code to India where they'll milk it ...... 
  2. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.BOOM. This will be as important for the platform as Traveler. If your company has ditched Notes and Domino, I feel sorry for you. For companies that do use Notes/Domino this is a game changer and Apple should be paying attention. Here's why: There are hundreds of little Notes client applications you'd never spend the time and money to build and deploy for your internal user base on IOS that we use Notes for all the time (those of us still using it). Now, those are suddenly ALL available on the iPad. ...... 
  3. 02/15/2018Andrew’s Proposed Gun LawsThese are my current thoughts on gun laws that would radically change the culture and safety of gun ownership in the United States without removing the rights of gun owners or compromising their privacy rights. * Please feel free to link to, or just copy, these ideas. It would be wonderful to see them spread widely and eventually become the basis for something to rally around and become legislation. Update: 3/3/2018 I added #7, increasing the age to purchase. Update: 4/27/2018 Please be aware that I am not ...... 
  4. 05/05/2016Is the growing social-sourced economy the modern back door into socialism? 
  5. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertising 
  6. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction 
  7. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  8. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  9. 08/06/2015The Killer of Orphans (Orphan Documents) 
  10. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.