ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Silent No More: IBM Makes Security Announcements on SHA-2, TLS, POODLE

Bill Malchisky  October 21 2014 08:45:00 AM
Today (21 Oct 14), IBM created a set of Technotes covering what appears to be a first step in helping soothe the customer and partner concern on the lack of offered direction and plan for resolving the SHA-1, TLS, and POODLE exploits that exist from years of community support and a yet to be implemented capability for increased security. I offer first step as no date for the patch is provided, just that they are stating their intentions and scope with a solution by year-end, which is my conjecture derived from their "several weeks" window statement. Recall that Google forced the hand by what appears to be an arbitrary cut-off for accepting SHA-1 SSL certificates in their browsers (and exempts customers who buy their SSL certificates from Google, I will add).

With IBM responding now, customers, partners --- including ISVs --- can now plan accordingly. Happy to have these documents. Thank you, IBM.


Here is what IBM offered

1. How is IBM Domino Affected by POODLE?
2. Planned SHA-2 Delivers for IBM Domino 9.x
3. As people will undoubtedly ask, Is it Possible to Run IBM HTTP Server (IHS) on the Same Computer as a Domino Server?


Notations

1. These SHA-2 fixes are for ND9 only, and do not work with 8.5.3 due to changes in the security model inherent to each build
2. The POODLE fix goes back to D8.5.1FP5
3. They are covering all the appropriate Internet protocols that your customers use

"With this Interim Fix, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP. With a SHA-2 certificate in place, users will be able to use a browser to connect to iNotes, XPages, traditional Domino Web apps, and Sametime (based on Domino HTTP)."




Comments

1Craig Wiseman  10/21/14 11:28:50 AM  Silent No More: IBM Makes Security Announcements on SHA-2, TLS, POODLE

Thanks, Bill, for you attention to this and the detailed info you posted and maintained.

A huge help for everyone.

cpw...

2Bill Malchisky  10/21/14 2:52:40 PM  Silent No More: IBM Makes Security Announcements on SHA-2, TLS, POODLE

You are welcome, Craig. I appreciate very much your kind words. Thank you, sir.

3Alan Head  10/22/14 4:43:06 AM  Silent No More: IBM Makes Security Announcements on SHA-2, TLS, POODLE

I echo Craig's sentiments - your summary of this issue has been invaluable to me in keeping my IT Security guys up to date with how Notes/Domino is affected - same applies to your stuff on Heartbleed.

Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

© 2010 William Malchisky.