Based on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect me.
I wasn't ready for what I found.
As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server. There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino. All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.
So... As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy. Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.
I wasn't ready for what I found.
As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server. There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino. All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.
So... As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy. Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.
[...] been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security [...]
ReplyDeleteIt appears you can also address the issue by only allowing SSL to use RC4 encryption ciphers (disable DES, triple DES, AES, etc.) See
ReplyDeletehttp://www-01.ibm.com/support/docview.wss?uid=swg21568229