TLS 1.2 support in Domino 9.0.1 Fix Pack 3 Interim Fix 2
by Volker Weber
Domino 9.0.1FP3IF2 — that's short for "Domino 9.0.1 Fix Pack 3 Interim Fix 2 (released March 27, 2015)" — introduces TLS 1.2 support. That is both important and overdue. Installing the Interim Fix is not enough. Daniel explains what settings need to be changed. It's complicated.
Comments
Extremely overdue.
Looks like IBM finally woke up.
And the IHS support in Domino 9 is called deprecated now. Fun for all those customers who recently migrated their SSL certificates from Domino kyr to IHS kdb and now can do the same in the opposite direction.
IHS is a bag of hurt. So i doubt that many customers would miss it.
for people not in the know: nginx is a free and excellent alternative to IHS available for quite some time. It also does a lot more, and frees up Domino resources.
Google nginx and Domino to find the articles about how to set it up.
Well it's not like Microsoft Exchange did a lot better: just a few days ago Cumulative Update 8 finally removed a hard-coded restriction that forced unsecure (SSLv3 or TLS1.0) email transportation...
http://support.microsoft.com/en-us/kb/3045301 (SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2013 environment)
Broken link. The link to Daniel's blog post has a typo in the URL. "fp2" instead of "fp3". Once I changed that, it worked.
Thanks, Scott. Fixed. As you can imagine, I don't type URLs but copy them. Looks like Daniel changed a typo in the header which then changed the URL. All good now.
Sorry I tried to just change the typo in the text but it also changed the link ...
There are more postings about the fixes and there are also new Wiki entries posted on the IBM Domino Wiki. I have updated my posts with that info as well.
And there is a presentation I did at Engage conference with some more details.
@Lars, not all options of the nginx solution are free. But it is a good product.
If you are running SMTP TLS Extension you might not have a proxy in front of your server and need the new TLS fixes.
-- Daniel