Lotus, Sound, and Life

Tripp Black's Blog

BEAST in-the-middle

Tripp Black  April 30 2013 12:42:30 PM
Domino 8.x / 8.5.x has two security issues w/both Domino 9 and 8.5.x.

They are vulnerable to the BEAST vulnerability.
In addition, to mitigate issues with the AES exploits, we all switched to RC4 last year.

However, the best that a Domino server can get is a "B" at:
https://www.ssllabs.com/ssltest/

A "B" won't pass a PII or PCI audit. Which means companies are getting black eyes and penalty fees, for not moving fast enough. Unfortunately, companies that rely on vendors, such as IBM, can only move as fast as IBM does.

The solution in Domino 9, that I learned about in the 9 Beta is now here. Well sort-of. The solution is to put the most current  Apache in front of Domino and use 1.2 TLS with GCM suites. Unfortunately, of the Domino distros, it appears this is ONLY possible in Windows, currently, as the Linux install does NOT have it at an option.

We don't use Windows. We are a Mac and Linux shop. The only MS Windows machines are a legacy SharePoint/FrontPage VM and 3 other VMs for running software that won't run on Mac or Ubuntu workstation (e.g. Domino Designer and VMware VSphere client).

The official answer from IBM is:

"The last word on the request at this time is that more customer requests need to pour in for attention to a configuration for Linux.  Some of the coding needs are pretty deep in the overall configuration precluding a hotfix even at this point.  SPR PPET96VFQQ.   "
Powell Pendergraft,
IBM Domino Web Server Support, iNotes, LDAP, DIIOP, and IBM SmartCloud Meetings
IBM Advanced Server Administration, Domino applications

In addition, there is NO documentation for this. Domino admins just better know how to config for multiple domain names and SSL keys along with each SSL key IP address. Now you have to be an Apache admin, too. (Which in Tripp's option is not bad.) But documentation would be nice, not to mention helpful.

This follows the last feedback from IBM a few months ago, that the SPR:

"The SPR number  for this Software Problem report is:  #LMIL94ETBC. The APAR number is documented as: LO73694.
Our SPR team will triage the SPR through their normal channels and determine if this issue is to be fixed a future release of Domino.
At this point in time, I believe I have utilized all escalation levels to assist you with trying to determine why your server is failing the BEAST vulnerability scans.

At this point in time, I am going to request we close this PMR. I am going to recommend reviewing any future SPR fix lists, which ship with every release of Domino to determine if your SPR is fixed in any future releases of Domino.

I can also set the SPR so I am notified of any updates made to the SPR and can contact you back if the SPR is either resolved or closed. "
-Lisa Michael,
IBM Software Support Team

Besides run a hot-fix in 8.5.x, you have to disable SSL renegotiation, which "is a cruch, not a fix".
https://community.qualys.com/blogs/securitylabs/2010/10/06/disabling-ssl-renegotiation-is-a-crutch-not-a-fix


Worse, since RC4 is now 50% or more of web server traffic, we now have the wonderful problem that the "best" (aka common) RC4 have their own vunerabilities.
To fix Domino users should go all the way from TLS 1.0 to 1.2 and switch to the newer GDM suites of encryption.
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

So, what's the end note, get Apache in front of Domino and configured there with all the web site and SSL configuration, and get IBM to take the hit seriously.
They won't until we do, and we do because we are being hit with financial penalties by our PCI auditors.

Comments Disabled
Comments