Dec 8, 2014 11:34 PM
3 Posts

POODLE vulnerability in some TLS stacks

  • Category: Security
  • Platform: All Platforms
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 9

Apparently the POODLE vulnerability can be adapted to attack some TLS stacks, up to TLS 1.2 [1].  My servers are running behind a reverse proxy, and are NOT vulnerable, but I was hoping someone who wasn't running a reverse procy could test their Domino with the SSL Labs tester [2].

 

[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html

[2] https://www.ssllabs.com/ssltest/index.html

 

Dec 9, 2014 8:32 AM
87 Posts
Mine seems fine
I get dinged for SSL 3 and RC4 ciphers but otherwise SSLLabs gives me a B.

This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO =BB
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B.  MORE INFO =BB
There is no support for secure renegotiation.  MORE INFO =BB
The server does not support Forward Secrecy with the ref= erence browsers.  MORE INFO =BB
This server supports TLS=5FFALLBACK=5FSCSV to prevent pr= otocol downgrade attacks.

Howard
Dec 10, 2014 6:00 AM
98 Posts
Re. RC4 ciphers
We chose to leave RC4 ciphers enabled, since otherwise we'd risk locking out too many wanted visitors. Anyway, even with RC4 enabled we are getting B -- with Domino hidden behind nginx as reverse proxy.
Dec 9, 2014 7:17 PM
36 Posts
IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack
Dec 9, 2014 7:25 PM
36 Posts
IHS that ships with Domino 9.0.1 is vulnerable to this TLS POODLE attack

Having moved to using IHS with our v9.0.1 FP2 IF1 server that runs Traveler I now find that IHS is vulnerable to the new POODLE / TLS attack - SSL labs gives it a Big FAIL. "This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. MORE INFO »

We needed to disable SSL3 completely to be compliant with our organisations security policy and now I find IHS is vulnerable. Hopefully IBM will release an IHS fix ASAP. 

 

Dec 9, 2014 7:32 PM
43 Posts
We are investigating. Should have more to report tomorrow <>
Dec 11, 2014 7:26 AM
5 Posts
Look here

in another thread this was reported to work:

 

http://www-01.ibm.com/support/docview.wss?uid=swg21692502

Workarounds and Mitigations

For all versions and releases of Apache based IBM HTTP server, IBM recommends enabling strict CBC padding enforcement. Add the following directive to the httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable": 

# Enable strict CBC padding 
SSLAttributeSet 471 1

Dec 11, 2014 5:06 PM
36 Posts
It's a TLS issue not SSL

@Jeff - POODLE II is a TLS vulnerability. In my case have already disabled SSL2 and SSL3 via IHS DOMINO.CONF and SSL Labs reports us as a Fail due to the new TLS vulnerability. 

What we need is a patch for Domino IHS from IBM. 

Dec 12, 2014 4:55 PM
113 Posts
can you disable tls1.0 and 1.1 at IHS
Can you force TLS1.2 at the IHS proxy?

similar as how you disabled sslv2 and v3 in the .conf file
and also disable tls1.0 and tls1.1

SSLProtocolDisable SSLv2 SSLv3 TLSv1 TLSv11