Wednesday 21 September 2011

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect me.

I wasn't ready for what I found.

As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.

So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.







  1. [...] been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security [...]

  2. Rupert Clayton11 July 2012 at 17:39

    It appears you can also address the issue by only allowing SSL to use RC4 encryption ciphers (disable DES, triple DES, AES, etc.) See