Skip to main content

How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino

I've been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security researchers Juliano Rizzo and Thai Duong demonstrated at the ekoparty security conference in Buenos Aires on Friday.

The session at ekoparty revealed the technical details about how the exploit works and the vulnerability it exploits.   The vulnerability has been known for quite a while.

The vulnerability affects SSL/TLS ciphers that use the Cipher Block Chaining (CBC) mode. These include the popular AES and Triple-DES encryption methods.  The easiest way to mitigate the vulnerablity is to switch to an encryption algorithm that doesn't use CBC, like those based on the RC4 stream cipher.

Interestingly enough, Google websites don't use CBC based encryption.  They use the RC4 encryption cipher instead.


Domino Server BEAST Mitigation - With Internet Site Documents

  1. In the Domino Administrator Client, open the 'Configuration' tab and expand 'Web' and 'Internet Sites'.

  2. Open the Internet Site Document for the server.

  3. Click on the 'Security' tab.

  4. Under 'SSL Options' section, change the 'Protocol Version' to 'V3.0 only'.

  5. Under the 'SSL Security' section, modify the list of SSL ciphers so that only the following ciphers are selected:

    1. RC4 encryption with 128-bit key and MD5 MAC

    2. RC4 encryption with 128-bit key and SHA-1 MAC

    3. RC4 encryption with 40-bit key and MD5 MAC

  6. Save the Internet Site Document.

  7. Restart the HTTP task.

Domino Server BEAST Mitigation - Without Internet Site Documents

There does not seem to be a way to specify the SSL protocol version for Domino without using Internet Sites.   There is a SSL Protocol Version field on the server document, however it states that it does not apply to the HTTP task.

With that said, I look forward to the day that there is TLS support for Lotus Domino.   (And data-at-rest encryption that is stronger than RC4, but that's for another day.)


  1. thank you very much for this, i will being turning this on, on a clients site tonight


Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.