TLS 1.2 support in Domino 9.0.1 Fix Pack 3 Interim Fix 2

by Volker Weber

Domino 9.0.1FP3IF2 — that's short for "Domino 9.0.1 Fix Pack 3 Interim Fix 2 (released March 27, 2015)" — introduces TLS 1.2 support. That is both important and overdue. Installing the Interim Fix is not enough. Daniel explains what settings need to be changed. It's complicated.

2015-03-31 :: email :: twitter :: qr code

Comments

Extremely overdue.
Looks like IBM finally woke up.

Manfred Wiktorin, 2015-03-31

And the IHS support in Domino 9 is called deprecated now. Fun for all those customers who recently migrated their SSL certificates from Domino kyr to IHS kdb and now can do the same in the opposite direction.

Oliver Regelmann, 2015-03-31

IHS is a bag of hurt. So i doubt that many customers would miss it.

Manfred Wiktorin, 2015-03-31

for people not in the know: nginx is a free and excellent alternative to IHS available for quite some time. It also does a lot more, and frees up Domino resources.

Google nginx and Domino to find the articles about how to set it up.

Lars Berntrop-Bos, 2015-04-01

Well it's not like Microsoft Exchange did a lot better: just a few days ago Cumulative Update 8 finally removed a hard-coded restriction that forced unsecure (SSLv3 or TLS1.0) email transportation...

http://support.microsoft.com/en-us/kb/3045301 (SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2013 environment)

Ralf ter Veer, 2015-04-01

Broken link. The link to Daniel's blog post has a typo in the URL. "fp2" instead of "fp3". Once I changed that, it worked.

Scott Vrusho, 2015-04-01

Thanks, Scott. Fixed. As you can imagine, I don't type URLs but copy them. Looks like Daniel changed a typo in the header which then changed the URL. All good now.

Volker Weber, 2015-04-01

Sorry I tried to just change the typo in the text but it also changed the link ...
There are more postings about the fixes and there are also new Wiki entries posted on the IBM Domino Wiki. I have updated my posts with that info as well.

And there is a presentation I did at Engage conference with some more details.

@Lars, not all options of the nginx solution are free. But it is a good product.
If you are running SMTP TLS Extension you might not have a proxy in front of your server and need the new TLS fixes.


-- Daniel

Daniel Nashed, 2015-04-02

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe