Monday, 30 March 2015

Notes 9.0.1 FP3 IF3 - TLS 1.2

IBM Notes 9.0.1 Fix Pack 3 Interim Fix 3 brings TLS (Transport Layer Security) 1.2 (with protocols HTTP, SMTP, LDAP, POP3 & IMAP) including new ciphers.
NOTE: To fully protect the Notes client from the POODLE attack, IBM recommends upgrading to Notes 9.0.1 Fix Pack 3 which combines the JVM SR16FP2 update plus all fixes included in 9.0.1 Fix Pack 2 Interim Fixes.

Notes 901 FP3 IF3 - W32 Basic
Notes 901 FP3 IF3 - W32 Standard

Fix List for Notes 9.0.1 Fix Pack 3 Interim Fix 3:

Add pinning to SHA-256 for TLS 1.2
TLS 1.2 Notes / Domino as a TLS client rejects handshake with server if no common signature algorithm available
TLS 1.2 Client handshake request rejected by Server if server certificate chain signature type not supported by the client
Remove RC4-SHA from the default cipher list for TLS 1.2
Implement HSTS (Http Strict Transport Security).This header informs supported browsers that the site should only be accessed over an SSL-protected connection (HTTPS)
Add IP Information to HTTP Thread logs for SSL Handshake connections
Passing a directory to kyrtool will crash the tool
kyrtool import all sometimes reports "SECIssUpdateKeyringPrivateKey returned error 0x0720", "AVA separator not found" or "Syntax error in OID" when a '/' is in a certificate name part
Add more detailed logging for SSL/TLS connections to help diagnose failed connections
New notes.ini SSL_DISABLE_TLS_10 to support Disabling TLS1.0 for compliance reasons. Used in conjunction with existing DISABLE_SSLV3=1 allows you to limit communication to TLS 1.2 only for protocols: HTTP, SMTP, LDAP, POP3 & IMAP
Added SHA-256 cipher specs for increased security with TLS 1.2
Added Advanced Encrption Standard (AES) Galois/Counter Mode for increased security with TLS 1.2
Added Perfect Forward Secrecy (PFS) via Ephemeral Diffie-Hellman (DHE) cipher specs for SSL/TLS
Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP
Administrator Client Shows Wrong File Sizes of database with DAOS size>0 After Server Restart
Getting Error When Using Google calendar Feeds
[WINDOWS ONLY] - Additional Time Zone For Salvador & Buenos Aires Shows Incorrect Time

Link : Interim Fixes for 9.0.1.x versions of IBM Notes, Domino, iNotes & Notes Browser Plug-in

Recommended links:
First Perfect Forward Secrecy Ciphers shipped with 9.0.1 FP3 IF2 by Daniel Nashed
Domino 9.0.1 FP3 IF3 is about to ship by Daniel Nashed
Engage conference security presentation by Daniel Nashed
New Version of KyrTool released by Daniel Nashed
TLS 1.2 in Domino and the settings I use by Darren Duke
New Start Script Version 3.0 with systemd support released by Daniel Nashed

No comments:

Post a Comment