Aug 21, 2014 4:19 PM
24 Posts

Recent interest in TLS SHA-2 certificates

  • Category: Security
  • Platform: All Platforms
  • Release: 9.0.1,9.0
  • Role: Administrator
  • Tags: Certificate,security,SSL,web
  • Replies: 62
IBM Domino support has received several questions and PMRs recently regarding SHA-2 support within Domino. SHA-2 is currently supported with x.509 certificate for s/mime in the Domino environment.
At this time, the Domino kyr file does not provide native support for SHA-2 certificates for protocols such as LDAPS, HTTPS, DIIOPS, etc.

We are aware that Certificate Authorities are no longer offering SHA1 certs by default, and many browsers will soon depreciate their trust of SHA1.

For HTTP requests (on the Windows server platform), we currently recommend using the IHS proxy server, available starting with Domino 9.0:
*Link to presentation on Implementing TLS support with IBM Domino 9.x and IBM HTTP Server (IHS)
*Link to IHS reference: http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html

At this time, the request to provide full native support for SHA-2 is currently under investigation by the Domino Development team:

Enhancement Request Number: ABAI7SASE6
Technote reference: http://www-01.ibm.com/support/docview.wss?uid=swg21418982
APAR reference: http://www-01.ibm.com/support/docview.wss?uid=swg1LO48388

If you also desire this functionality in your environment, we encourage you to open a PMR and add your company to the enhancement request . This alerts our development team to the continued interest for this feature, which is not a guarantee of a solution or fix, just an inclusion to this existing enhancement request for this feature to be considered for a future release.
Aug 22, 2014 9:34 AM
1 Posts
Must-have

SHA-2 should have been already implemented!

Adding my company to the enhancement request is done.

Hopefully SHA-2 and modern cipher-suites will now be implemented quickly.

Aug 22, 2014 9:45 AM
79 Posts
*I can't open a PMR but I want native SHA2 support in Domino!
Aug 22, 2014 12:52 PM
24 Posts
Thank you, understood
Thank you, Steve.  Yes, I did read your article earlier this week.

I did note in my post that the IBM HTTP server is only for Windows OS, and it has a pretty specific role that does not apply to any other protocol besides http.

We will always do our best to stay ahead of the curve, and security features are an especially important area, in my opinion.
Aug 22, 2014 12:47 PM
95 Posts
This is overdue IMO. I can't open a PMR, unfortunately.<eom>
Aug 22, 2014 1:02 PM
24 Posts
I will work on finding a way to add your request + others' who cannot create PMRs at this ...
Aug 22, 2014 6:20 PM
1 Posts
Must Have Requirements

Amy

SHA-2 should have already been implemented a long time ago. IBM is behind and gives competitor ammunition

We need this implemented for Linux and other platform now.  We do not use Windows nor our customers.  The process should be simple and easy for customers and partners to implement.  If Domino is going to be a viable solution for our customers, this clearly needs  to be fixed soon and make sure that the XWork version has this implemented at the same time.  Windows is not a viable options for ISVs like myself.

I tried opening a PMR but the process was too laborious.  

 

Aug 22, 2014 8:00 PM
24 Posts
Thank you for your feedback
Thank you.  I agree.  We are working on a way to post additional reports to our Enhancement request, one for each person that posts here and cannot create a PMR at this time. Thank you for your patience.
Aug 23, 2014 5:44 AM
5 Posts
Please add SHA-2 support

Unfortunately, I am unable to open a PMR.

Please add this feature as an high-priority item on behalf of my company and all my Domino customers.

Thank you.

ABdata, Andy Brunner

Aug 25, 2014 3:49 AM
2 Posts
Must have! PMR created, we need more than SHA-2

 

The support for SHA-2 in the Domino security core is the most important security feature request.  However, we need a refresh of the security core. There are some more missing security algorithm and features:

Support for TLS 1.2, (Perfect) Forwarded Security and SHA-3?

As you mentioned we do not need a proxy solution (like IHS) or a single solution for one feature (like SHA-2 for S/MIME), we need those features in the native Domino security core for  LDAPS, SMTPS, HTTPS, DIIOPS, POP3S, IMAPS, S/MIME…

 

btw: Google has anounced to phase out SHA-1 in Chrome

Aug 25, 2014 8:01 AM
1 Posts
Agree. This is a must have

IHS is not an option that many of my customers will accept.

 

 

Aug 25, 2014 11:42 AM
2 Posts
Agree w/ Others

Long overdue - needs to be baked into the product. Many customers asking for it.

Aug 25, 2014 11:53 AM
6 Posts
Re: Recent interest in TLS SHA-2 certificates

I definitely agree that this is fairly crucial if Domino is intended to be a modern product. The HTTP part isn't so important, since reverse proxies are a better setup anyway, but it's vital for those other protocols. Using anything less than the maximum available security options is necessarily insecure, so it makes Domino a poor choice for IMAP/SMTP/LDAP+SSL, protocols where proxying is usually a larger hassle and less advantageous.

Aug 25, 2014 12:05 PM
2 Posts
Must Have

I'm a customer but I've no idea how to open a PMR.  We need this feature added please.  One of the whole reasons to use Domino is for SECURITY.

 

David Leedy

Aug 25, 2014 12:45 PM
5 Posts
Agree, Domino needs modern TLS across ALL protocols

IBM customer. 

Domino needs proper, modern TLS support across all protocols, including SMTP, LDAP, HTTP, POP, IMAP, etc.

What kind of shocks me is that there's any discussion about making this happen. If I had a product in this situition, the only meetings I'd be having is about WHEN the enhancements will be finished. IBM is all about security, except... when it isn't?

and, please... let's not hear anyone at IBM say, 'We've not head that our customers want this."

http://ideajam.net/IdeaJam/P/ij.nsf/0/342557C4307F678D86257833004C527F?OpenDocument

Aug 25, 2014 12:53 PM
4 Posts
PMR will be opened

We will be opening a PMR soon on this issue for our group.  The latest SSL support is a requirement.   I worry there is a problem with Domino because this requirement should not need customers begging for a solution.   

Aug 26, 2014 11:25 AM
3 Posts
PMR opened last week

The 2010 R7 APAR summary is "The problem will be fixed in the next release of the product."  Setting up another HTTP server is not a real solution to this problem.  Everytime I see this issue I get spun up again, having dealt with the nonsennse of ikeyman and XP earlier this year.  This is all the proof someone needs that Domino is a dead end at IBM.

 

Amy, what is the number of customers tied to this enhancement request, and what is the average number of customers tied to a Domino enhancement request?  I'm curious where this particular PMR ranks in the list of recent Domino requests (let's say last 3 years) from customers.

 

 

Aug 27, 2014 11:32 AM
6 Posts
How heavy is considered overweight?

An IBMer posted this in a LinkedIn group.

"The 2009 created SPR has already a weight of 3000+ (never seen such value in 15 years), usually above 200 a SPR gets attention."

I'm wondering how much more feedback is required to get this fix implemented?

Aug 28, 2014 3:39 AM
1 Posts
Please add SHA-2 native support

It's a shame that IBM hasn't addressed this issue sooner.

It gives the competition some very "cheap" arguments for getting rid of Domino and Domino based solutions due to less secure (incompatible) TLS/HTTPS. Something that could have easily been prevented a long time ago.

So, please add full native SHA-2 support in Domino. Without having to "mess" with a proxy server!

I can't open a PMR on this, so please add me to the list.

Thanks in advance.

Aug 28, 2014 9:38 AM
3 Posts
Thanks Steve

/Steve: Thanks.  That's exactly what I was looking for.  I just wanted a barometer for where this fell on the change request list.

 

I really don't see any valid arguments against this, other than IBM has internally stopped active development on Domino's core functionality.  When customers and partners ask for a security feature for years, it needs addressed.  Even if IBM feels strongly that it isn't needed (which Amy doesn't indicate), you basically say "this is what the people who fund my company want, this is what they will get".  Instead, we got Quickr, Symphony, DB2 for Domino, etc:(

Aug 28, 2014 10:59 AM
7 Posts
It's a must have!

Hi

We need this functionality too. A few month ago we implemented SHA-2 certificates in kyr files in the same way as described by Steve Pitcher, but with a little bad feeling in the stomach knowing that is not officially supported by IBM.

The "new IHS solution" is not an option (as already mentioned above), we need a native implementation. Considering that we are already using SHA-2 certificates in kyr files without any problem and the only real problem seems to be that the "Server Certifcate Admin" (certsrv.nsf) does not support its implementation in a kyr file, I honestly think it should not be a big deal to implement this native SHA-2 enhancement in domino. And please consider also SHA-3!

PMR already opened ;-)

Thanks

Cristian Abate

Sep 4, 2014 11:34 AM
7 Posts
PMR opened

Should be no discussion :(

Sep 4, 2014 8:09 PM
7 Posts
YES YES YES for SHA-2 support

SHA-2 is IMPORTANT TO ALL OF US!!!

Sep 5, 2014 4:04 AM
7 Posts
Further infos

According to GoDaddy.com, new certificates with expiration dates after January 1, 2017, can only use SHA-2. Code-signing certificates with expiration dates after December 31, 2015, must also use SHA-2. Microsoft is driving all public Certificate Authorities toward adoption of SHA-2 as their default hash function, so whoever you use for SSL certificates will be affected.

Sep 8, 2014 2:08 PM
1 Posts
Chrome dropping support

I've started looking at this again because Chrome is now going to be dropping support for SHA-1 certificates (see here)

This is going to start throwing up warnings and errors for existing Domino SSL sites starting in a few weeks (Chrome 39), with stronger warnings for later Chrome versions and as people start renewing their certificates.

For those of us running Domino on Linux it looks like we're going to be left behind. There will soon be no supported method for running SSL sites that will work with all browsers.

 

As above, it's hard to understand why this hasn't been implemented yet. It does look like Domino is effectively being abandoned by IBM, with just basic sticking plaster workarounds for big problems like this.

Sep 10, 2014 9:43 AM
9 Posts
TLS SHA-2 certificates

Definitely a must for our environment going forward.  We use https with keys from Global SIgn.

Amy please add us to the PMR request.

Murray Croft

Oakmont Limited

Sep 10, 2014 10:34 AM
18 Posts
PMR opened

IBM, please do take this into account... . Thanks.

Sep 10, 2014 10:40 AM
3 Posts
We must have this support in Domino Now

I work with multiple customers.  I can't open PMRs for all of them, but will for the ones I can (I love jumping through hoops for something like this that IBM obviously needs to do).  I started submitting this issue at the Connect 2014 conference to the developers.

It is not practical to implement the IBM HTTP server because the Domino Server Certification application can't handle SHA2 certs.

Don't make your customers jump through all these hoops if you can update the Cert Server app and/or add the enhancement to the Domino HTTP server.

It has been quite fast and easy to configure SSL for HTTP on Domino until recently when the major provider of certificates have forces us to the SHA-2 certs.  GoDaddy stopped issuing them over a year ago.  I had to beg them to temporarily issue me an SHA1 cert.  Now that will expire.

The majority of my customers run Domino on the superior OS: Linux

Do it now please and release it in an Interim Fix asap.

Sep 10, 2014 12:39 PM
2 Posts
And on behalf of the companies I represent...

I will log another PMR. It's what I'm good at.

Sep 10, 2014 3:53 PM
18 Posts
this is a long standing issue already

The supported cipher suites and key lenghts (and the user interfaces, too ...) of server key rings are behind the competition already for many years.

For the record: on last Lotusphere (Connect 2014) I asked in the "Ask the Developers" session if the key lengths and supported cipher suites (not only of the Domino server as a "client" of a CA but also in the CA included with Domino) could be updated to match current industry standards ... my impression of the reaction of the developers present on stage was that nobody of them had thought about this for years ...

Please give the developers responsible for that product area ENOUGH time to update these parts of the Domino product both correctly and completely!

 

Sep 17, 2014 3:28 PM
113 Posts
sha1 and chrome
IBM Support is seeing increased interest in SHA2 support at Domino as Chrome announced it will soon begin sunsetting support for sha1
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html



However after reviewing the below post, appears most traffic will continue to be encrypted and secured even after Chrome39
that users connecting to https over sha1 will receive a small visual warning:
Lock with a yellow triangle, indicating site is secure, but with minor errors

...as long as the site's certificate doesn't try to expire after 2017

http://www.symantec.com/connect/blogs/sha1-certificate-shown-insecure-or-mix-content-warning-google-chrome-39
Sep 19, 2014 4:35 AM
8 Posts
overdue

This is a must have feature and long overdue. Please implement it ASAP.

Sep 21, 2014 8:24 AM
23 Posts
All of our Domino SMB/ENT Customers under Linux having the same problem and most of them a...
Sep 22, 2014 3:00 PM
5 Posts
What we have here, is failure to communicate

It's one thing to have an issue, it's another to utterly fail on communicating the status of the issue.

It's nice that we were asked our thoughts on this point, but it would be appropriate to have a response, update, or some such from IBM here.

Thanks!

cpw...

Sep 25, 2014 4:39 AM
1 Posts
More people needing SHA-2 now...

Just to add yet another one to the list I have customers asking why they can't import their renewed certificates as they are being issued only in SHA-2 format unless specifically requested and then only short expiring SHA-1 certificates are being issued.

So before we have to go around an implement unwanted reverse proxy or IHS servers in front of all customer Domino systems so that they continue to use SSL please just support current SSL certificates like has been promised since "fixed in next release" for 7.0.1.  The thing is here we have customers using Domino from 2 users like ourselves, through small businesses with 10-100 users with Domino http stack with SSL in use and then large customers and parts of global corporations with 1000's of users.

Have logged a service request for all the good that will do...

Steve

Oct 6, 2014 9:15 AM
226 Posts
Indeed...

I just received a reply from my PMR re: current certificates expiring soon, and need support for our iSeries web server.

The reply I received was: 

<quote>

Related to this issue we have an answer from our colleagues from Level 2 that even the future version 10 does not have the support for it yet - and there is an enhancement request even for that version. The enhancement request for SHA-2 is the most needed one in Domino history. The more customers are requesting it, the more chance there is that IBM will put time and money into fixing it. We added your PMR to this very long list. The software problem report number is SPR # ABAI7SASE6 and APAR #LO46492.

</quote>

It sounds like they haven't even committed to supporting SHA-2, let alone putting anyone to work writing any code.

Oct 12, 2014 8:07 AM
23 Posts
What about Domino 9.x and HTTP Server on Linux Platfrom?
Oct 13, 2014 9:24 AM
113 Posts
IHS modules shipped with Domino 9 are only supported on Windows
Dev continues to investigate the options we have to best address SHA2 support for Domino internet protocols
However at this time, the IHS modules shipped with Domino 9 are only supported on Windows at this time
http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/caa25dc9fd95076b85257b19005b3894?OpenDocument&Highlight=0,Installing,the,IBM,HTTP,server,module,to,support,TLS

If you have a proxy that provides TLS, you are more than welcome to set that up infront of your linux based Domino server


Title:        Is the Domino Web Server SSL engine FIPS 140-2 compliant?
Doc #:        1237209
URL:        
http://www.ibm.com/support/docview.wss?uid=swg21237209


Oct 14, 2014 12:34 AM
1 Posts
Can Not log PMR about SHA-2

Could you please put me as one of many ones need this function?

I just simply cannot believe it is not supported natively by IBM.

Very disappointed.

Oct 14, 2014 2:21 PM
6 Posts
nginx

Jochen, Nginx sounds like a great HTTP solution but it does not address any of the other Domino services that rely on SSL.

Oct 15, 2014 4:38 PM
95 Posts
As Christoph wrote, nginx does more than just http. Nevertheless...
I completely agree with you that this is nothing but a work-around. It is crystal clear that IBM must urgently take action to resolve this miserable situation. Imagine: Domino, which used to be a premium choice for providing secure internet services, is slowly but surely becoming a laughing stock...
Oct 15, 2014 1:15 PM
6 Posts
nginx

Christoph, thanks for the additional info but it doesn't solve all. I'd appreciate it if we had a supported solution from IBM rather than rolling our own proxy solutions.

 

Going to nginx reinforces the lack of attention, unacceptable situation and overally sorry state of where Domino HTTPS is right now.

Oct 15, 2014 2:39 PM
32 Posts
Sure

Hi Steve,

you're right and i'm with you. We need a solution from IBM. Not a IHS plugin which only works on Windows, we need security on all protocols and all OS.

Information was only a tipp or workaround and to clarify the complete functionality of nginx.

Regards

Christoph

Oct 16, 2014 3:58 AM
23 Posts
All the Domino Servers we have implemented is on Linux, most of it an up-gradation. It is ...
Oct 16, 2014 6:16 AM
3 Posts
Tip: How do i scare my customers?

"At this time, the request to provide full native support for SHA-2 is currently under investigation by the Domino Development team"

Sorry, but this is a joke. SHA-1 is ~20 Years old, SHA-2 already over 10 Years... TLS is also ~15 Years old.

The statement, the implementation of a 15-year-old security feature is "under investigation", is quite simply intolerable.

Should i tell our customers that stone age technology only will be available in the future and they have to buy new licenses to?

This really is a joke. A bad joke.

Oct 16, 2014 8:42 AM
12 Posts
Recent interest in SHA-2 certificates

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.
http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.
Regards
Mats

Oct 16, 2014 8:42 AM
12 Posts
Recent interest in SHA-2 certificates

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP.
http://www.infoware.com/?p=1592
TLS is NOT SOLVED by this only SHA-2.
Regards
Mats

Oct 17, 2014 5:21 AM
1 Posts
HELP!

Hi,

Yesterday, we lost one customer as their IT department restricted the use of SSLv3 connections on their network and within a few weeks we will probably loose 60% of our users as FireFox and Chrome plan to withdraw SSLv3 support as well.   IBM, we need TLS 1.x really fast!.  We have several Quickr solutions on Domino 8.1 and Domino 8.5.3.  Installing a front-end web server is not feasable for us!

 

Thanks

Anton

Oct 20, 2014 9:57 AM
8 Posts
Sad and ridiculous

As if the Domino platform doesn't have enough perception problems, the one thing that people always considered it to be good at was security. It was the first widely deployed product to implement public/private key encryption. The fact that we are now in a situation with the POODLE exploit not to mention the horror of getting SHA1 certificates for our servers is disgraceful. I am embarrassed every time I have to tell a company's security team this. Please get a fix out ASAP and make sure it is back ported to at least 8.5.x

Oct 20, 2014 9:53 PM
2 Posts
SHA-2 and POODLE

The Aug post above gave links to the SPR on SHA-2. However, it's now more critical as Chrome is planning to make our SSL v3 sites w/SHA-1 display with a security warning. This basically makes it like we run self-certs.

There has been a SPR on SHA-1 needing upgrade to SHA-2 for quite some time:

SPR # ABAI7SASE6 (APAR LO48388) 

Now, Red Hat and the other vendors are advising to dump SSL v3 completely and run TLS 1.2 latest on their httpd service. With IHS being only Windows only, no good option for Linux Domino admins, especially if they run multiple domains w/ multiple SSL certs (IPs), the reverse proxy gets really complicated.

I followed the instructions for making the SHA-2 request using OpenSSL and then converting the keys via new GSKit (ikayman) and then using old ikeyman to convert to kyr (keyring files). It worked to give Domino SHA-2 support, but it still failed SHA-1 test at QualSys because evidently, the Domino server still can talk SHA-1 with a SHA-2 set of keys. If I look at the cert in Firefox the SHA-2 key does still have a SHA-1 hash it presents for both an Apache Server and a Domino server, except the Apache server forces only TSL via Apache certificate limitations, and Domino is still vulnerable because it still accepts the SHA-1. So for me the work-around didn't block SHA-1 which is my regulatory requirement. Only a proxy works, and that is complicated in 2 of my set-ups with multiple domains and multiple SSL IPs on the Domino servers.

Bypassing Domino keyring Cert database link of steps we used: http://mindwatering.com/SupportRef.nsf/webpg/310E670B524BEF3985257D7800824F84

Adapt these instructions using the Apache part, but using the certificate / keyring creation of the link above: http://mindwatering.com/SupportRef.nsf/webpg/A9B5147B1A1B7F2D85257D78006709C1

Oct 22, 2014 10:14 AM
1 Posts
POODLE vulnerability and SHA-2 strategy for IBM Domino
Hi all,

In case you haven't seen it in other threads or other communications media, we have released statements regarding our strategy for the POODLE vulnerability and SHA-2 support:

Number Title URL
1687167 How is IBM Domino impacted by the POODLE attack?
http://www.ibm.com/support/docview.wss?uid=swg21687167
1418982 Planned SHA-2 deliveries for IBM Domino 9.x
http://www.ibm.com/support/docview.wss?uid=swg21418982


Hope this helps!
Oct 31, 2014 9:52 AM
5 Posts
We need this fixes NOW

NO, this does NOT help.

Releasing this fixes will help, but not the announcement.

And "next several weeks" is a very elastic term...

Nov 4, 2014 3:15 PM
18 Posts
Released?

Interim Fixes for TLS 1.0 and SHA-2 seem to have been released today.

Unfortunately, only some are already really downloadable.

The IF for Domino Win32, Win64, AIX and AIX64 are downloadable.

The IF for Domino xLinux, xLinux64, Notes (Client) and the KYRTool cannot be downloaded yet (attempting to do so leads to an error message).

I have not tested anything yet.

 

Nov 9, 2014 2:33 AM
18 Posts
Something better, something worse

TLS seems to work, but STARTTLS in the SMTP server seems to be broken. At least, our Symantec Messaging Gateway can no longer connect to our Domino Servers and use STARTTLS - Dominos SMTP server seems to simply close the connection. I have opened a PMR.