Wednesday, 21 September 2011

IBM Lotus Domino and the SSL/TLS known vulnerability

Based on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect me.

I wasn't ready for what I found.

As it turns out, as detailed in this IBM tech note, there is no support for TLS 1.0, TLS 1.1 or TLS 1.2 for Domino's http server.   There is only support for SMTP (through STARTTLS) and SIP (for Sametime) within Domino.   All other Lotus Domino Internet based protocols (HTTP, LDAP, POP3, IMAP) support SSL up to 3.0.

So...    As for a plan, it looks like you can probably put your Domino servers behind a Websphere Edge Server doing reverse proxy.   Much like you would have to do if you were looking to make Domino FIPS 140-2 compliant.